[Sussex] SSH Tunnels....

Richie Jarvis richie at helkit.com
Thu Aug 7 16:46:37 UTC 2008 

Hi Steve,

You were asking about tunnelling, and as I've just been doing some - its 
nice n fresh in my mind....

Local tunnels (where you want to listen locally, and send down the tunnel)

ssh -L 
<local-listener>:<target-ip-as-if-from-remote-machine>:<target-port> 
<username>@<hostname>

Example - say I have a remote wormhole machine which only allows SSH 
connections, and behind that remote machine are a series of boxes which 
are not allowed to accept incoming or outbound connections.  I want to 
SSH into 1 box behind the wormhole, lets call him 'fred'.  Lets also say 
that fred runs a webserver on port 80 which isn't accessible externally 
either, and I want to visit it (maybe its an intranet.)

Step 1 - Establish an ssh session to wormhole, with the tunnel
ssh -L 22:fred:22 richie at wormhole

Step 2 - Establish an ssh session OVER the tunnel, with a new tunnel for 
the webserver
ssh -L 80:localhost:80 richie at localhost

Step 3 - Grab fred's homepage over both the tunnels, because now my 
local machine has a listener on port 80 which connects directly to fred.
wget http://localhost

Remote tunnels (where you want to use a resource on your local machine 
from the remote machine, such as a proxy server)

ssh -R 
<remote-bind-address>:<remote-listener>:<target-ip-as-if-from-remote-machine>:<target-port> 
<username>@<hostname>

Example - I am doing this now in actual fact :)   BEA only provide a 
stub for Weblogic - when you fire up the installer, it connects to the 
net, and downloads what it needs, however, the machine I am running the 
installer on has NO outbound internet connectivity, so I am stuffed, 
right?  Not quite :)   Its again behind wormhole, and fred is the box I 
want to install Weblogic on.

Step 1 - Setup SQUID on a Linux box which does have internet 
connectivity (I use my VPS) - listening on port 3128

Step 2 - SSH to my vps
ssh richie at vpsbox

Step 3 - SSH to wormhole, FROM the VPS, with a remote tunnel, so that 
anything that connects to port 3128 on wormhole automatically gets 
dumped on the VPS to port 3128.  The bind address is blank so that fred 
can connect, otherwise only localhost can connect - this requires the 
sshd_config option GatewayPorts to be set to 'yes'.  I've also had to 
include the port 22 tunnel as well, so that I can login to fred.
ssh -R *:3128:localhost:3128 -L 22:fred:22 richie at wormhole

Step 4 - SSH to fred over the tunnel
ssh richie at localhost

Step 5 - I can now use the SQUID on my VPSBox directly from fred - using 
a wget for example
export http_proxy="http://wormhole:3128"
[root at fred ~]# wget google.com
--05:59:22--  http://google.com/
Connecting to wormhole:3128... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--05:59:23--  http://www.google.com/
Connecting to wormhole:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'

   [ <=>                                                            ] 
5,991       --.-K/s   in 0.02s

05:59:25 (360 KB/s) - `index.html' saved [5991]

Does that help? 

Cheers,

Richie

More information about the Sussex mailing list