Home > InfoSec, Tool-Kit > SSH Tunnelling Example

SSH Tunnelling Example


Towards the end of last year I spent a few hours trialling SSH tunnels, I knew how the process worked but hadn’t had much cause to use it in anger; so my lab got some use instead, and a post was written covering the basics; SSH port forwarding 101.

Since I now know how to quickly and successfully implement a tunnel, it turns out that I previously had plenty of cause to use tunnels in the past, I just didn’t know SSH tunnels were the right tool for the job. A couple of recent conversations has made me realise others don’t always know the flexibility of tunnels either so I wanted to try and describe a common scenario to highlight the usefulness of tunnels.


Above is a fairly common setup. You’ve got an internal resource (for example an intranet wiki for documentation), this is in turn protected by a firewall that only allows access from trusted location. Under normal circumstances all staff can access the resource without problems, and any malicious sources (human or automated) can’t access the service.

This works well, until someone needs access and they aren’t at one of the trusted locations (we’re assuming this is an unusual problem and remote access solutions aren’t in place). In a lot of environments SSH is a ‘trusted’ system management solution and is world accessible (and hopefully secured well enough to keep the barbarians from the door, but that’s for different posts).


SSH tunnels (but you guessed that). Tunnel the server’s HTTP (or whatever) service back to your local system, and then connect locally. Using the syntax I discussed previously, from a ‘nix shell you can use this command:

ssh -L 8000: ssh-server.domain.com

This makes an SSH connection to the server (ssh-server.domain.com), tunnelling the local HTTP service running on port 80 ( and binds it to your machines TCP 8000 port. Now you can connect to the service by typing into a browser, thus traversing the firewall source IP restrictions.

If you’re living in a Windows world, then the PuTTY equivalent configuration will be:

Next time you’re sat in the coffee shop on a Sunday morning, and the boss rings with an ’emergency’; are you sure that you can’t access the resources you need from where you are? If you can, that coffee (and extra slice of cake) just became expense-able 😉

–Andrew Waite

Categories: InfoSec, Tool-Kit
  1. Zydoon
    2011/05/09 at 16:22

    THank you for this info, it really helps

    I’m looking for a SSH proxy, does it exists ?

  2. 2011/05/11 at 14:23

    ah.. you do know about ssh -D
    This is for dynamic socks forwarding…. 🙂


  3. gdbtek
    2014/05/07 at 00:02

    I wrote this tool https://github.com/gdbtek/ssh-tunneling and hope it helps. It supports local/remote tunnel.

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: