Pages

Wednesday, 30 November 2011

Port forwarding with SSH/Putty

I regularly exchange data between computers at University and home. To maintain security, I keep a firewall running on all machines, and “tunnel” through the firewall(s) using SSH - the secure shell. For example, I run a web server on my main machine for web application development, and do not wish this to be publicly accessible. My home computer is protected by a hardware firewall, and I use SSH to tunnel access to the web server. Local and remote port forwarding is straightforward, but it can be difficult to understand initially. I have therefore created a list of “recipes” that one can try…

Getting the software

My remote machine is running Debian Linux. I have two local machines running Mac OS X, and Windows XP. Port forwarding is possible on all three machines.
On Linux and Mac OS X, OpenSSH is bundled, and so you already have the necessary software. For Windows, I’d recommend the SSH program Putty. I would recommend downloading the GUI-based client and the command-line client Plink.
Using plink is recommended as it used the same syntax as SSH on Mac OS X and Linux, although once you have things running, you can switch to using the GUI if you wish.
In the examples, I use the address myserver.dyndns.org for the address of your remote server.

Accessing a remote webserver

You want to access a web server running on port 80 your remote machine.
From your local machine, type:

ssh -L 8080:localhost:80 myserver.dyndns.org

This creates a tunnel from port 8080 on your local machine to port 80 on your remote machine. In your web browser go to “http://127.0.0.1:8080/” to view your remote web pages!

Using a remote HTTP proxy

You have a HTTP proxy running, such as squid, on your remote server. You want to browse the internet using your home machine, rather than your university account (for example, if your university account blocks access to certain websites). If your proxy server is running on port 3128:
From your local machine, type:

ssh -L 3128:localhost:3128 myserver.dyndns.org

On your local machine, you need to configure your Internet connection settings (or web browser) to use proxy server 127.0.0.1 port 3128. The web browser thinks it is connecting to a local proxy server, but in fact, all connections are tunnelled to your remote server. Try going to http://whatsmyip.org/ and check the connection is using the remote server!

Tunnelling from remote to local

You have a web server running on a university-bound machine that you need to access from home. You are running a firewall that blocks all incoming connections, and the university is also blocking your address too. How do you access this service from home?
You need to remote port forward:
From the university machine type:

ssh -R 8080:localhost:80 myserver.dyndns.org

This creates a tunnel from port 8080 on your remote machine to port 80 on the local machine. To access your protected web server, you just need to browse the website at “myserver.dyndns.org port 8080″ (i.e., myserver.dyndns.org:8080) and this will connect you to your protected server on the protected network.

Daisy chaining tunnels

It is possible to daisy-chain SSH tunnels through multiple firewalls. I want to show a trusted colleague my protected website. I create a tunnel through our shared intermediary server:
On the protected computer forward remote port 8080 to local port 80.

ssh -R 8080:localhost:80 myserver.dyndns.org

On my colleague’s computer, forward remote port 8080 to local port 80

ssh -L 80:localhost:8080 myserver.dyndns.org

Depending on firewall and proxy settings, it may not be possible to tunnel SSH connections in this way, and I do not condone the use of these techniques for nefarious purposes. I use these techniques to secure my remote systems and ensure I have as few services as possible running on open ports. Reducing the number of running services reducing the change of attack by hackers, and means that the only possible chink in your armour is running the SSH server.

from http://www.medicalnerds.com/port-forwarding-with-sshputty/

No comments:

Post a Comment