Home

Debian/Ubuntu Tips & Tricks

Debuntu.org: .deb packages, Unix/Linux Tutorials and Articles.

User login

Get Firefox


Tips


Home » category » HowTo

SSH and Port Forwarding or How to get through a firewall

In this article I'm going to show you how you can use SSH Port Forwarding to access a service a firewall might be blocking.

As an example, I'm going to take the one from a campus blocking access to IRC servers usually running on port 6667, but letting the SSH port 22 unblocked.

The idea here is: because we can connect to a remote host on port 22, why not telling this machine to forward all the incoming traffic to the remote host we want to connect to in the first place.

So here is the configuration. We are using a computer in a campus which blocks external access to port 6667, but leaves port 22 opened.

We have a known host (let'say your home computer) with ssh port 22 opened.

Here is a graph representing the configuration:

ssh port forwarding

As you can see, we are going to use a longer path to connect to the IRC server by connecting to our home computer. Doing a Port Forwarding, we will create a tunnel between our local machine on port 1234 and the IRC server on port 6667. This way, we will be able to connect to the IRC network by simply connected on our local machine on port 1234.

Let's get into the command line now. Firstly, we need to create the tunnel. To do so, connect to your home computer by SSH and forward your port 1234 on localhost to the IRC server (here irc.freenode.net) on port 6667.

tester@laptop:~$ssh myhomeuser@myhomenetwork.net -L 1234:irc.freenode.net:6667

Now, our tunnel is created (the purple connection on the graph) and port 1234 is open on localhost. The only thing left, is to connect to IRC using your favorite IRC client and provide it with the server located at localhost:1234.

In this example I'm going to connect to it using irssi, a text mode client for IRC network.

tester@laptop:~$ irssi -c localhost -p 1234

and here is what we get...

irssi connecting to irc.freenode.net through a tunnel on localhost port 1234

hey, hey, we are connected to freenode.net ;).

Basically, you could use this trick to access any type of service. The only thing it require is to be able to connect to a remote machine outside of the firewalled network.


Submitted by chantra on Sat, 2006-04-08 15:10.

creating tunnels when there are socks servers ?

Submitted by Anonymous (not verified) on Tue, 2007-05-29 01:00.

I have a desk top windows machine running vmware and ubuntu.
I want to automate an ssh tunnel from my desktop to hosta then to hostb.
hosta has a socks 4 proxy which is accessed from port 1080 so I use a product called tsocks to access it.
eg. from my desk top to logon to these hosts I enter:

from desktop:tsocks ssh hosta

from hosta: echo $DISPLAY
hosta: localhost:10.0
from hosta: ssh hostb

from hostb: echo $DISPLAY
hostb: localhost:10.0

This is my config file:

Host *
ForwardX11 yes
ForwardAgent yes
ServerAliveInternal=900

Host hosta
Hostname ip.of.hosta
LocalForward 20000 ip.of.hostb:22
User myuser

Host hostb
HostKeyAlias aliasb
HostName localhost
User myuser
Port 20000

I have copied my ssh_keys to hosta and hostb.

Then I issue the command: tsocks ssh -v -v hostb
$ tsocks ssh -v -v hostb
OpenSSH_4.3p2 Debian-5ubuntu1, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /home/myuser/.ssh/config
debug1: Applying options for *
debug1: Applying options for hostb
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 20000.
debug1: connect to address 127.0.0.1 port 20000: Connection refused
ssh: connect to host localhost port 20000: Connection refused

$ cat /etc/ssh/ssh_config
Host *
ForwardAgent yes
ForwardX11 yes
SendEnv LANG LC_*
HashKnownHosts yes

Can anyone help ? Thanks in advance.


ssh tunnel

Submitted by danapearson@gma... on Wed, 2007-01-10 21:53.

I have a desk top windows machine running vmware and ubuntu.
I want to automate an ssh tunnel from my desktop to machine A then to machine B then to machine C.
This is my config file:

Host a
Hostname ip.of.hosta
LocalForward 20001 ip.of.hostb
User myuser

Host b
HostKeyAlias aliasb
HostName localhost
Port 20001
LocalForward 20002 ip.of.hostc
User myuser

Host c
HostkeyAlias aliasc
HostName localhost
Port 20002
User myuser

Host *
ForwardAgent yes
ServerAliveInterval=900

Then I issue the command ssh hostc and get the following error:
ssh: connect to host localhost port 2002: connection refused.

I have ssh-keys setup and can manually ssh from desktop to hosta then hostb then hostc.
openssh server is running on my desktop.

Can anyone help ?


Connections need to be done manually

Submitted by chantra on Thu, 2007-01-11 16:47.

From what I see here, you need to open 3 ssh connection in order to be able to connect to host c.

  1. connect to host a, this will open port 20001 on localhost and will be forwarded to host b port 22
  2. then connect to host b using "ssh b", this will open a connection on localhost port 20001 and will be forwarded to host c port 22
  3. finnaly, connect to host c using "ssh c", this will connect on localhost port 20002 and you should be landing on host c.

Note: You have to specify a destination port in your LocalForward directive.
for Host a:
LocalForward 20001 ip.of.hostb:22
and for Host b:
LocalForward 20002 ip.of.hostc:22

Keep in mind that opening a connection on host c won't cascade connection to host b and host a, you have to make them manually.

Hope this helps

Debuntu


I get an error say it can't connect to localhost

Submitted by Anonymous on Mon, 2006-10-09 12:42.

here is the error:

XXXX@XXXXX:~$ ssh XXXX@localhost -L 1234:irc.freenode.net:6667
ssh: connect to host localhost port 22: Connection refused

also is there a way to do this dynamically for bitorrent

Kartik 2.0


Is openssh server running on

Submitted by chantra on Wed, 2006-10-11 10:55.

Is openssh server running on your localsystem?
Try apt-get install openssh-server in the first place.

Debuntu