Differences

This shows you the differences between two versions of the page.

Link to this comparison view

wiki:infrastructure_tools:ssh:ssh-tcp-port-forwarding [2014/01/25 16:56] (current)
Line 1: Line 1:
 +====== SSH TCP Port Forwarding ======
 +
 +===== Preface =====
 +
 +In some cases users are looking for possibility to do TCP port forwarding. \\
 +In situations like: \\
 +- Firewall is blocking traffic between source and destination but SSH traffic is enabled. \\
 +- Application for security reasons is listening only on TCP port on loopback interface but you have only SSH access to the server and you need to connect remote application client to the loopback of the server. \\
 +- Your provider is filtering traffic to TCP ports for some hosts but you have an server on public internet. \\
 +- You SSH Server need to access some IP on your local network but firewall is blocking this traffic . \\
 +- … \\
 +\\
 +In this case it is possible to open an connection from your SSH Client site to SSH Server and configure TCP port forwarding. The whole TCP traffic will be taken and with help of SSH protocol it will be forwarded from one site of the “tunnel” to another. As well the whole traffic will be encrypted like standard SSH traffic. According to this it will look like only one SSH session for all devices between SSH Client and SSH Server.
 +
 +===== Before we’ll start =====
 +
 +In general we will need to make sure that we know what we would like to configure. I know that it look like really stupid sentence. On another hand the SSH port forwarding is sometime really confusing.
 +
 +==== Questions: ====
 +
 +Please make sure that you know the answers for this questions:​\\
 +What is the Destination IP?\\
 +What is the Destination TCP port?\\
 +What is the IP where will be SSH TCP port Forwarding tunnel listening incoming traffic?\\
 +What is the TCP port where will be SSH TCP port Forwarding tunnel listening for incoming traffic?
 +
 +===== Listening on Local TCP port (-L) =====
 +
 +Description:​ “ -L [bind_address:​]port:​host:​hostport “\\
 +Example: “ ssh -L <​Listening_Local_IP>:<​Listening_Local_TCP_port>:<​Destionation_Remote_IP>:<​Destination_Remote_TCP_port>​ user@server_IP ”
 +==== Questions -> Answers (Q&A) ====
 +
 +What is the Destination IP? \\
 +- This Destination IP is reachable from SSH Server site and we’ll need to access this IP from SSH Client site \\
 +\\
 +What is the Destination TCP port?\\
 +- This TCP port is reachable from SSH Server site and we’ll need to access this TCP port from SSH Client site
 +
 +\\
 +What is the IP where will be SSH TCP port Forwarding tunnel listening incoming traffic?\\
 +- It is one of the IP’s configured on SSH Client site.
 +
 +\\
 +What is the TCP port where will be SSH TCP port Forwarding tunnel listening for incoming traffic?\\
 +- It is TCP port higher like 1024\\
 +- This TCP port is free and no one is listening on this port\\
 +- It is Local TCP port on SSH Client site
 +
 +==== Example: ====
 +
 +In this case we will use this configuration:​\\
 +SSH Client IP: 10.0.12.110\\
 +SSH Server IP : 10.0.12.111\\
 +Application is listening on (IP:TCP port): 10.0.12.1:​80\\
 +SSH Client IP is not accepted at Application but SSH Server is permitted.
 +
 +According to this we will do SSH TCP port Forwarding that our SSH Client can access Application port (in our case Webportal)
 +
 +=== Check for available TCP port ===
 +
 +We’ll need to be sure that the TCP port that we will use at Client site is free for us to use. In this case I’m going to use TCP port 2222.
 +
 +<​code>​
 +[root@SSH_Client ~]# netstat -nap | grep 2222                                 # The TCP port 2222 is free and we can use it
 +[root@SSH_Client ~]#
 +</​code>​
 +
 +=== Open SSH session with TCP port Forwarding ===
 +
 +<​code>​
 +[root@SSH_Client ~]# ssh -L 10.0.12.110:​2222:​10.0.12.1:​80 root@10.0.12.111 ​  # -L [bind_address:​]port:​host:​hostport
 +root@10.0.12.111'​s password:
 +Last login: Sat Jan 25 12:49:41 2014 from 10.0.12.110
 +[root@SSH_Server ~]#
 +</​code>​
 +
 +=== Check the port on SSH Client site ===
 +
 +<​code>​
 +[root@SSH_Client ~]#netstat -nap | grep 2222                                   # As you can see SSH Client is listening on 10.0.12.110:​2222
 +tcp        0      0 10.0.12.110:​2222 ​    ​0.0.0.0:​* ​    ​LISTEN ​     2018/ssh
 +</​code>​
 +
 +===== Listening on Remote TCP port (-R) =====
 +
 +Description:​ “ -R [bind_address:​]port:​host:​hostport “\\
 +Example: “ ssh -R  <​Listening_Local_IP>:<​Listening_Local_TCP_port>:<​Destionation_Remote_IP>:<​Destination_Remote_TCP_port> ​ user@server_IP ”
 +
 +<note tip>In the case that you would like to bind the TCP port to the IP of the SSH server you need to enable: \\
 +GatewayPorts yes \\
 +in "/​etc/​ssh/​sshd_config"​ and restart the SSHD process</​note>​
 +==== Questions -> Answers (Q&A) ====
 +
 +What is the Destination IP? \\
 +- This Destination IP is reachable from SSH Client site and we’ll need to access this IP from SSH Server site \\
 +\\
 +What is the Destination TCP port?\\
 +- This TCP port is reachable from SSH Client site and we’ll need to access this TCP port from SSH Server site
 +
 +\\
 +What is the IP where will be SSH TCP port Forwarding tunnel listening incoming traffic?\\
 +- All of the IP’s configured on SSH Server site.
 +
 +\\
 +What is the TCP port where will be SSH TCP port Forwarding tunnel listening for incoming traffic?\\
 +- It is TCP port higher like 1024\\
 +- This TCP port is free and no one is listening on this port\\
 +- It is Local TCP port on SSH Server site
 +
 +==== Example: ====
 +
 +In this case we will use this configuration:​\\
 +SSH Client IP: 10.0.12.110\\
 +SSH Server IP : 10.0.12.111\\
 +Application is listening on (IP:TCP port): 10.0.12.1:​80\\
 +SSH Server IP is not accepted at Application but SSH Client is permitted.
 +
 +According to this we will do SSH TCP port Forwarding that our SSH Server can access Application port (in our case Webportal)
 +
 +=== Check for available TCP port ===
 +
 +We’ll need to be sure that the TCP port that we will use at SSH Server site  is free for us to use. In this case I’m going to use TCP port 2222.
 +
 +<​code>​
 +[root@SSH_Server ~]# netstat -nap | grep 2222                                 # The TCP port 2222 is free and we can use it
 +[root@SSH_Server ~]#
 +</​code>​
 +
 +=== Open SSH session with TCP port Forwarding ===
 +
 +<​code>​
 +[root@SSH_Client ~]# ssh -R *:​2222:​10.0.12.1:​80 root@10.0.12.111 ​              # -R [bind_address:​]port:​host:​hostport
 +root@10.0.12.111'​s password:
 +Last login: Sat Jan 25 13:26:54 2014 from 10.0.12.110
 +[root@SSH_Server ~]#
 +</​code>​
 +
 +=== Check the port on SSH Client site ===
 +
 +<​code>​
 +[root@SSH_Server ~]#netstat -nap | grep 2222                                   # As you can see SSH Server is listening on 0.0.0.0:​2222
 +tcp        0      0 0.0.0.0:​2222 ​    ​0.0.0.0:​* ​    ​LISTEN ​     2018/ssh
 +</​code>​
  
Navigation
Print/export
QR Code
QR Code wiki:infrastructure_tools:ssh:ssh-tcp-port-forwarding (generated for current page)