Home > Linux, Security > Around the Firewall: ssh proxy and ssh port forwarding

Around the Firewall: ssh proxy and ssh port forwarding

If you happen to a) be behind a firewall which does not allow you to reach a certain destination on the web, or b) be outside in the web and cannot access a certain destination inside a network, the openssh implementation may help you: from the machine you’re sitting at (“local machine”) you just need ssh access to e.g. a Linux machine with an ssh-server running in the “target network” (“remote machine”, for a) outside the firewall in the “web”, for b) inside the target network behind the firewall).

a) ssh proxy (built in SOCKS proxy)

When logging in to the remote machine, use the -D option:

ssh -p 22 user_name@remote_machine_url -D 8080
  • -p 22 specifies the port the ssh server listens on at the remote machine.
  • -D 8080 specifies that requests sent to port 8080 at your locale machine are tunnelled to the remote machine, and then routed to where ever they should go. This way you can sent packets transparently to their targets over the remote machine.

For usage with a web browser, you then need to configure the browser so that it uses a proxy instead of your default gateway (e.g. for Firefox, you can use the FoxyProxy plugin). Configure it so that the browser uses a SOCKS proxy and routes packets to your local machine on port 8080.

b) ssh port forwarding

When logging in to the remote machine, use the the -L and/or the -R  option:

ssh -p 22 user_name@remote_machine_url -L 10001:192.168.0.101:10002 -R 10003:192.168.0.102:10004
  • -p 22 specifies the port the ssh server listens on at the remote machine.
  • -L 10001:192.168.0.101:10002 specifies that requests sent to port 10001 at your locale machine are tunnelled to the machine at 192.168.0.101 in the remote machine’s network on port 10002. This way you can sent packages from your machine to a machine in the remote machine’s network without needing direct access to it.
  • -P 10003:192.168.0.102:10004 specifies that requests sent to port 10003 at the remote machine are forwarded to the machine on 192.168.0.102 in your locale machine’s network on port 10004. This way somebody else from the remote machine’s network — which does not have any access to your locale machine’s network from outside — still can access a machine in your network.

On Windows you can do the same using Putty. You need to enable the check box “Don’t start a shell or command at all” in “Connection-SSH”. At “Tunnels”: add a “dynamic tunnel” on “local port X” where X is the port you are going to send data to locally (leave destination open – should state something like “D8080” after adding then).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: