Home > InfoSec, Lab, Tool-Kit > SSH Port Forwarding 101

SSH Port Forwarding 101

2010/11/14

I’ve tried messing around with SSH port forwarding in the past, but always struggled to get my head around what I was trying to connect to where, and ultimately didn’t result in anything useful. This time around I’ve put in some dedicated time to get to the bottom forwarding ports within SSH tunnels. And I’m glad I did, my with only a handful of connections the possibilities are making my head spin.

To help my head get around problems I encountered I found a number of resources helpful.

Example Scenario: A server (10.0.0.100) on an internal LAN has web services that need to be accessed, but has no remote access through the firewall. Luckily, there is remote access to an SSH server (10.0.0.200) sat on the same LAN.

From command-line:

ssh -L 8000:10.0.0.100:80 ssh-server.somedomain.tld

This connects to the machine at ssh-server.somedomain.tld and, once authenticated, forwards 10.0.0.100:80 to port 8000 on the local machine. Now accessing the remote services is as simple as pointing your browser to http://127.0.0.1:8000.

The same functionality can be achieved using configuration files. For example, edit ~/.ssh/config:

Host tunnel
HostName ssh-server.somedomain,tld
LocalForward 127.0.0.1:8000 10.0.0.100:80

To establish a connection with the configuration file in place simply run; ssh tunnel.

The port forward will remain active for as long as the SSH session is connected. If you don’t need to interact with the SSH session in addition to the forwarded port passing ssh the -fN flags will cause the session to be backgrounded once authentication can be established.

If you haven’t already, I suggest you investigate the possibilities within your own environment; and if an evil grin doesn’t spread across your face then you still don’t fully get it 😉

–Andrew

Advertisements
Categories: InfoSec, Lab, Tool-Kit
  1. Matthew W
    2010/11/15 at 08:06

    SSH is a real double edged sword, we build ad-hoc VPN connections with it which allow VLAN tagged packets to pass our providers not-quite-layer-2 inter site links. Alarmingly, that only requires root on a box inside the network and root outside, and for any TCP port to be enabled outbound, in theory I could walk into most-anyone’s network in the world, drop my laptop down and allow the world past their firewalls.

    Of course if your Ethernet ports aren’t locked down to trusted machines etc etc…

    Very cool stuff!

    • 2010/11/15 at 09:04

      Agreed, definitely dangerous in the wrong hands. Makes you think about you’re own network, bet 99% of networks allow anything outbound from the ‘trusted’ local LAN, even those that have egress filtering I’d guess only a small percentage block tools like SSH cause the ‘admins’ need them.

  1. 2011/05/09 at 08:26
Comments are closed.
%d bloggers like this: