SSH Tunnel [25 Sep 2009]

A personal and simplfied way to describe SSH tunnelig.

I will describe the two situations, SSH tunneling and reverse SSH tunneling.

SSH tunneling (-L option)

Consider two machines, A and B. You are working on machine A and have a sshd server listening on B port 22.

SSH tunnling allow you to use the SSH link (between B:22 and A:autoport) to encapsulate an encrypted tcp connection in this channel.

Synopsis (you are typing at machine A consolle): 

$ ssh -L 8080:localhost:80 pippo@myhost.mydomain.net

where

  • 8080 is the number of the LOCAL host port (so the first port is the LOCAL one)
  • 80 is the number of the remote host port
  • localhost is resolved on the remote host (so, in our example, is the loopback interface ip (127.0.0.1) on the B host which answers at myhost.mydomain.net)
  • pippo@… is your ssh login at myhost.mydomain.net

Of course you can also write myhost.mydomain.net instead of localhost.

Result: if you try to connect to A:8080 you will see the B:80 service (B is myhost.mydomain.net machine).

SSH reverse tunneling (-R option)

Consider two machines, A and B. You are working on machine A and have a sshd server listening on B port 22.

SSH reverse tunnling allow you to use the SSH link (between B:22 and A:autoport) to encapsulate an encrypted tcp connection in this channel, and use it in a second time from the B station.

Synopsis(you are typing at machine A consolle): 

$ ssh -R 8389:localhost:389 pippo@myhost.mydomain.net
  • 8389 is the number of the REMOTE host port (so the first port is the REMOTE one)
  • 389 is the number of the local host port
  • localhost is resolved on the local machine (so, in our example, is the loopback interface ip (127.0.0.1) on the A host, where you are typing at)
  • pippo@… is your ssh login at myhost.mydomain.net

Result: if you try to connect to B:8389 you will see the A:839 service.

Access to the service from a C host

SSH sets the tunnel only on the loopback interface by default.

If you need to connect to the tunnelled data from an other host, that means you are connected to your A host (in -L case) or B host (in -R case) from a net interface like eth0 (you are not physically in front of A or B station), you have - as ssh man page says - to enable the option 

GatewayPorts yes

in your /etc/ssh/sshd_config file (on the A machine in -L case and on the B machine in -R case). Remember to restart sshd after editing the file!

A simple example

  • Your machine is behind a firewall which drops all your tries to connect to the chat server.
  • You have a machine in the internet with a ssh server listening on port 22
  • The firewall lets you use ssh connection to the internet

You just need to write on your host: 

$ ssh -L local_port:chatserver_ip:chatserver_port login@your_host_in_the_internet

! if local_port is the same of chatserver_port your chat client has not to be reconfigure and it could be used immeditely as always.