Thursday, September 08, 2005

Port forwarding with ssh

I find forwarding ports (and, actually, also reverse forwarding ports) over ssh very useful. I'll probably find it less useful now since I've found OpenVPN so easy to setup and use, but it's still a very useful technique, particularly where I don't have root access.

I always use -v when doing this because -v will tell me if the link is slow or the link is down (while i'm still connecting, less wasted time). It also shows a message everytime a request is forwarded down the ssh tunnel, useful for debugging to make sure I'm doing the right thing.

With the setups below, surfing to http://localhost:8080 will forward requests to the internal or external server specified. Note: by default, port forwarding binds only to 127.0.0.1, so from the box itself you can connect to the forwarded service, but you can't from another box. Use GatewayPorts for exposing the service (warning, think about that, it might open security holes).

1. I'm on my laptop and I want to surf the website on remote.com.ph as if I were physically there. So what I want to do is forward my port 8080 to remote.com.ph:80 (it's an internal website and is inside a firewall, so I can't surf to that site directly from the open internet).

ssh -v -L 8080:localhost:80 remote.com.ph

what that does is, connections on my local port 8080 will be forwarded to remote.com.ph. From there, it will be forwarded to remote.com.ph's localhost:80.

2. Same as #1, I can ssh to remote.com.ph but the web server isn't on remote.com.ph, it's on another internal box inside the firewall, 192.168.80.80:80.

ssh -v -L 8080:192.168.80.80:80 remote.com.ph

What that does is, connections on my local port 8080 will be forwarded to remote.com.ph over the ssh tunnel. Remote.com.ph will then forward them onward to 192.168.80.80:80

3. Same as #2, but I'm trying to surf to some external web site that doesn't let me in if I surf from the Philippines, or if I surf there from the Philippines something bad will happen. For instance, PayPal will block paypal accounts if they're used from IPs that it identifies as being in the Philippines. This has to do with very high fraud rates. But maybe I'm not a fraudster, I just want to use my paypal account, but I can't because I'm physically in the Philippines. If I have ssh access to a host in the USA which paypal won't be suspicious about, I can do port forwarding through that server, e.g.,

ssh -v -L 8080:www.paypal.com:80 my_us_server.com

There is also reverse port forwarding. I do that when the server I need to connect to (usually not for http, but for some internal server) is inside a firewall and I can't get to it directly and the firewall won't port forward to the internal server. In that case, what I do is ssh to the gateway, and from there ssh to the internal server. Then I do reverse port forwarding. What that does is, it will ssh back to *me*, and open a localport on *me* which will be forwarded down that second ssh link back to it. This, of course, only works if the internal server has a route out to the internet, if it doesn't, then some other solution will have to be found.

# first ssh to the gateway
ssh gateway.remote.com.ph

# at the gateway, ssh to the internal box
ssh my-internal

# at my-internal, open the reverse tunnel back to me, i am, client.com.ph

ssh -v -R 8022:localhost:22 client.com.ph

What that does is get my-internal to ssh to client.com.ph (my box, outside the firewall). Once it gets there, it will set up port forwarding so that port 8022 at client.com.ph so that when I (at client.com.ph) connect to port 8022, the request will be forwarded to port 22 at the my-internal computer. I use that much less often than -L, but when -L doesn't work, -R is often a lifesaver.

No comments: