ACA Blog

ACA Blog


October 2018
M T W T F S S
« Sep    
1234567
891011121314
15161718192021
22232425262728
293031  

Categories


SSH Summer School: port forwarding

Jan BeerdenJan Beerden

SSH Summer School port forwarding

This blog post is the second of a 3 part series about SSH (Secure Shell) connections with OpenSSH. You can check out the first post here. The aim of this blog post series is to teach you more about SSH, so I call it SSH Summer School (even though, yes, it’s autumn now 🙂 ). In these blog posts, I assume you are using a UNIX-like operating system with OpenSSH. In this second part of the series, I’ll talk about port forwarding.

There are three types of SSH port forwarding: local, remote and dynamic. The first one makes a port on a remote server available on your local machine, the second does exactly the opposite and the third allows you to send ‘all’ your traffic through the SSH connection’s remote server. Let’s start by looking at local port forwarding.

LocalForward

Have you ever wondered whether it’s your application misbehaving or whether it’s the reverse proxy in front of it? Or perhaps you would like to connect to the database from your local machine?

With SSH LocalForward, you can forward connections from your local machine to the remote server. There are 3 methods to do this, but all 3 of them require the same parameters:

  • local_bind_address: The address on your local machine to bind to. When omitted, SSH will bind to localhost by default.
  • local_port: The local TCP port SSH should bind to. If you would like to use a privileged port, keep in mind that you will need super user permissions on the local machine.
  • remote_host: The remote address to connect to. This can be localhost, to directly connect to the application, but this can also be a different system such as a remote database that can only be accessed from the application server.
  • remote_port: The TCP port to connect to on the remote server.

LocalForward methods

  1. Command line option

    Here’s an example using the command line option:

    In this example we connect to my-remote-server and forward the local machine’s port 13306 to a database server’s port 3306 which we can (only) reach from my-remote-server.

  2. Config file option

    If you would like to add this to your team’s SSH config as described in part 1 of this series, keep in mind that your colleagues might already be using the local port for something else. You should therefore add it to the private config directory.

  3. The SSH command line. We will get into the details of the SSH command line later on in this post.

RemoteForward

It is also possible to do the opposite of LocalForward: with RemoteForward, you can forward a TCP port on the remote server to the TCP port of an application running on your local machine.

There are 3 methods to do this as well, but just like LocalForward, all 3 of them require the same parameters:

  • remote_bind_address: The address on the remote server to bind to. When omitted, SSH will bind to localhost by default.
  • remote_port: The remote TCP port SSH should bind to. If you would like to use a privileged port, keep in mind that you will need super user permissions on the remote server.
  • local_host: The local address to connect to. This can be localhost, to directly connect to a local application, but this can also be a different system such as a database that can only be accessed from your local machine.
  • local_port: The TCP port to connect to on your local machine.

RemoteForward methods

  1. Command line option

  2. Config file option

    Same warning as before: if you would like to add this to your team’s SSH config as described in part 1 of this series, keep in mind that your colleagues might already be using the local port for something else! Add it to the private config directory.

  3. The SSH command line. Like I said before, we’ll get into the details of the SSH command line later on in this post.

DynamicForward

DynamicForward, like LocalForward, allows you to reach a remote server, but instead of directly connecting to a single remote port, it is tunnelling all your TCP traffic through the remote server. By using DynamicForward, the remote server will act as a SOCKS proxy. This allows the client to use it as its gateway to all (TCP) resources available to the remote server, similar to a VPN connection.

There are 3 methods to set this up, all 3 of them require the same parameters:

  • bind_address:The address on your local machine to bind to. When omitted, SSH will bind to all available interfaces by default.
  • port: The port to expose the SOCKS proxy on.

DynamicForward methods

  1. Command line option

  2. Config file option

    Same warning as before: if you would like to add this to your team’s SSH config as described in part 1 of this series, keep in mind that your colleagues might already be using the local port for something else! Add it to the private config directory.

  3. The SSH command line. We’ll get into the details of the SSH command line below.

Unlike LocalForward and RemoteForward, you aren’t done just yet. You still need to configure your local machine to use this SOCKS proxy. I won’t go into the details of configuring your local machine, but you can configure it to use this proxy for all of its connections. Alternatively, you can configure a web browser with SOCKS proxy support, such as Mozilla Firefox, to use it.

Both methods have their advantages, but personally I only use it in combination with Firefox. This way I can have a ‘local’ browser and Firefox as a ‘remote’ browser.

Port forwarding through the SSH command line

In case you forgot to setup port forwarding and don’t want to start another SSH session or restart your current SSH session, you can also enable port forwarding using the SSH command line.

The SSH command line can be opened by issuing the ~C escape sequence.

I have added the ~C in the example just for demonstration purposes. Typically when issuing the escape sequence, its characters aren’t displayed.

You can also use the SSH command line to cancel forwarding a port:

I used LocalForward in the examples above, but this also works with RemoteForward and DynamicForward.

Tip: remembering the ~C escape sequence should be enough, once you are on the SSH command line, you can use the ? command to get a list of available commands.

Some other handy escape sequences

The C escape sequence is, of course, not the only handy escape sequence there is. Here are a couple others you might find useful.

  • Ever had an SSH session lock up?
    You can terminate it with the ~. escape sequence.
  • Having trouble with your SSH session and forgot to setup verbose logging? Or maybe you did, but made it too verbose?
    With the ~v and ~V escape sequences, you can increase or decrease verbosity.

A full list of escape sequences can be retrieved by issuing the ~? escape sequence.

That’s it for SSH port forwarding! If you have any questions or remarks, leave them below as a comment and I’ll answer them asap or address them in a future blog post. See you soon for part 3!

System Engineer at ACA IT-Solutions

Leave a Reply

avatar
  Subscribe  
Notify of