SSH Port Forwarding


It is actually really simple and well documented.

You have a host You want to connect to, but it is behind a linux (anything that has ssh server running on should do) box.
What You need to run is something like this
ssh -L 3387:192.168.0.10:3389 -l user -N ssh_box
on Your local client machine.

3387 – local port to use
192.168.0.10 – remote server where that service is running You need to connect to
3389 – the TCP port that remote service is running on
user – ssh username of course
ssh_box – ssh server Your service is behind of.

If forwarding non privileged ports (over 1024) You do not have to be root on the machine You are running ssh command on.
Using local port over 1024 and avoiding running ssh under root is recommended anyway.

The example by the way opens a connection to rdesktop on 192.168.0.10 which is behind ssh_box.
To use that port forward simply open rdesktop 127.0.0.1:3387 and that is it.
By the way – local and remote port can be the same, but the way I did it is simpler to explain 🙂

SSH port forwarding through multiple machines

A bit more complicated is a situation when a connection through two ssh boxes needs to be done.

To understand this situation better I’ll take an example.

A connection needs to be made to a webmin server running on 192.168.0.10 on port 10000.
This server is behind a firewall and can be accessed through machine with an ip address 1.1.1.1. But ssh server on that machine is not open to the world but only to a machine with an ip address of 2.2.2.2. Unfortunately You are sitting behind another machine with ip 3.3.3.3

First on 2.2.2.2. Everything coming to 127.0.0.1:10000 will go to 192.168.0.10:10000 through a tunnel to 1.1.1.1

ssh -L 10000:192.168.0.10:10000 -l user -N 1.1.1.1

Now 2.2.2.2 can access 192.168.0.10:10000 on its localhost ip 127.0.0.1. It is important to remember, that this way the forwarded port can only be accessed from 127.0.0.1.
To reach that tunnel from 3.3.3.3 we need to make another forward like this and this time on 3.3.3.3

ssh -L 10000:127.0.0.1:10000 -l user -N 2.2.2.2

In here we forward local port 10000 to 127.0.0.1:10000 on host 2.2.2.2, whitch will be forwarded to 192.168.0.10:10000 through host 1.1.1.1.

All we need is to open up a connection to:

http://127.0.0.1:10000

This example can be expanded if more hops are needed. Simple as that.

Leave a comment

Your email address will not be published. Required fields are marked *