Basic SSH Tunneling and port forwarding

Just the other day I was looking for a good HowTo guide for SSH tunnelling in Linux but I could not exactly what I was looking for.  So once I found all the information I needed I thought I should write so someone - perhaps me - might find it useful in future.

The basics - What exactly is SSH tunnelling

SSH tunnelling allows you to encrypt data between two servers.  The data is transported via SSH.  This mean the remote server treats the data coming from the tunnel as its own data.  Common uses for SSH include encrypting data to and from email servers and bypassing firewall restrictions on company networks to all remote access to servers using VNC.

In my case I had a network that was only accessible from one of my company servers and I wanted to access it from my desk without first logging into the other server.  I know there are other possibly better ways to do this but I want to try this method.


How To Use It

Here is an example command to set up an SSH tunnel:

ssh -f user@some-server.com -L 3865:some-server.com:22 -N

To break the command down:
  • -f tells SSH to go into the background.
  • -N tells SSH not to execute any commands.  If you do not include this it will drop you into a shell as normal.
  • The login is the normal login you would use to log into the server.
  • -L 3865:some-server.com:22 sets up the tunnel.  Importantly it tells SSH to listen on port 3865 and forward the data to port 22 on the host given - in this case some-server.com.
In practical terms the port is opened on the server the run this command on.  You can connect to 3865 from any other server on your network and the data will be transported securely between the local server and the remote server.  However, importantly the connection to the server you used to set up the SSH tunnel will not be encrypted unless to take steps to ensure it is or the protocol used is already encrypted.

With this example if the server you set up the tunnel on was called myserver.com you could connect to some-server.com using the following command:

ssh user@myserver.com -p 3865

Note: Although you are pointing SSH at myserver.com the SSH tunnel forwards the connection to some-server.com so the user name and password should match that server and not myserver.com.  This confuses SSH a bit because it believes the identity of the server has changed.

Comments

Popular Posts