SSH and Port Forwarding or How to get through a firewall

1 minute read

In this article I’m going to show you how you can use SSH Port Forwarding to access a service a firewall might be blocking.

As an example, I’m going to take the one from a campus blocking access to IRC servers usually running on port 6667, but letting the SSH port 22 unblocked.

The idea here is: because we can connect to a remote host on port 22, why not telling this machine to forward all the incoming traffic to the remote host we want to connect to in the first place.

So here is the configuration. We are using a computer in a campus which blocks external access to port 6667, but leaves port 22 opened.

We have a known host (let’say your home computer) with ssh port 22 opened.

Here is a graph representing the configuration:

ssh port forwarding

As you can see, we are going to use a longer path to connect to the IRC server by connecting to our home computer. Doing a Port Forwarding, we will create a tunnel between our local machine on port 1234 and the IRC server on port 6667. This way, we will be able to connect to the IRC network by simply connected on our local machine on port 1234.

Let’s get into the command line now. Firstly, we need to create the tunnel. To do so, connect to your home computer by SSH and forward your port 1234 on localhost to the IRC server (here irc.freenode.net) on port 6667.

tester@laptop:~$ssh [email protected] -L 1234:irc.freenode.net:6667

Now, our tunnel is created (the purple connection on the graph) and port 1234 is open on localhost. The only thing left, is to connect to IRC using your favorite IRC client and provide it with the server located at localhost:1234.

In this example I’m going to connect to it using irssi, a text mode client for IRC network.

tester@laptop:~$ irssi -c localhost -p 1234

and here is what we get…

irssi connecting to irc.freenode.net through a tunnel on localhost port 1234

hey, hey, we are connected to freenode.net ;).

Basically, you could use this trick to access any type of service. The only thing it require is to be able to connect to a remote machine outside of the firewalled network.