SSH port forwarding

Let’s say you want to connect to the port 8080 on a machine that runs within the firewall of your company. If there’s VPN available, you could use it, however it would affect all your other connections. Probably the easier and most effective way is to use SSH forwarding and connect to the login server of your company or any other machine that you have shell access and can access the remote site on port 8080. You could then use use a local port of your machine to access the remote site:

ssh -L 8080:remotesite.com:8080 username@remoteloginserver.com

Having done that, you can access the remotesite:8080 by typing in your browser ‘localhost:8080’. The remote site thinks (and actually correctly) that all the connections originate from the ‘remoteloginserver.com’ to which your local request to port 8080 are forwarded to.

You may also want to do the opposite. You may want to associate a remote port of a machine to one of your local machine. The most common use of this is if you want to access your machine at home (which is behind a router or firewall) from the login server at work or university. You can associate the port, let’s say 2222 of the remote server with the port 22 of your machine, so when trying to connect to port 2222 of ‘localhost’ (on the remote site), you will be redirected at your home machine:

ssh -R 2222:localhost:22 username@remoteloginserver.com

While you are connected on ‘remoteloginserver.com’, if you try ‘ssh username@localhost -p 2222’ it will get you to your home machine.
To be sure that the chosen port is listening on the remote site, you can grep the netstat output:

# netstat -tunel | grep 2222
tcp        0      0 127.0.0.1:2222          0.0.0.0:*               LISTEN      35393      4543448    
tcp        0      0 ::1:2222                :::*                    LISTEN      35393      4543449    

Something like this can raise security concerns on who will try to get access to your home machine (or any other). Eventually, anybody who has access to the remote machine and can run an SSH client, can start trying brute-force techniques and your machine being the target. However, is supposed that you use remote port forwarding for a short period of time. It can be very handy to get a specific task done. If you need that for longer term, then you must trust a lot the users that have access to the remote machine and you should implement some kind of access control list on your home machine in order to allow only specific users to connect.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s