SSH Tunnelling (Port Forwarding)
This is a short introduction to SSH tunnelling (also known as "port forwarding"). It describes with some simple examples how a user can establish an apparently direct connection to any machine in the Garchinger Campus, despite the newly enforced restricted access to a selected number of machines.
For more details about SSH tunnelling, see the links at the bottom.
Let's define our sample setup: We have a PC at home called mypc. We want to connect to a computer in Garching called work, but we are only allowed to connect to a gateway machine called gate:
The normal way would be a two step process: first connect from mypc to gate and then from gate to work. Let's see how a tunnel can help:
Case 1: From a Unix-like machineThe following refers to OpenSSH 2.x and 3.x:
On mypc we execute this command:
ssh -l myuserid -L 7777:work:22 gate cat -This means: open an ssh connection as user myuserid to host gate and execute the command cat -. While the session is open, redirect all connections to port 7777 on the local machine to port 22 on machine work.
Now we can use any SSH command (ssh, slogin, scp, sftp) to connect directly to work through the tunnel. For example:
ssh -p 7777 localhost uname -a
slogin -p 7777 localhost
scp -p -P 7777 localhost:data/file1.txt .
sftp -oPort=7777 localhost
How it works:
The ssh process on the local machine mypc establishes an SSH connection with the sshd server process on the gateway machine gate. It uses the well-known port 22 on the server side and some free port on the local machine, e.g. 605. In addition, because we have used the -L option, the local ssh process accepts local connections to port 7777 and sends all data received on this port through the other port 605 to gate with some marking "this is from tunnel 7777". The gateway gate has been informed through the -L option that, whenever it receives data marked with "this is from tunnel 7777", it has to open a connection to host work on port 22 and send it that data:
- The cat - command in the first ssh command is there only to keep the connection open. Any other command which does not finish could be used. It could be left blank, too, thereby opening a shell, but then you need a controlling terminal and cannot use the ssh command in a script.
- You can use any port above 1024 and below 32768 for the -L option.
- If you need to connect to several machines, then just specify more
-L options in the first ssh command, one per machine, each with
a different local port. For example:
ssh -l myuserid -L 7777:work1:22 -L 7778:work2:22 -L 7779:work3:22 gate cat -then use ssh -p 7777 localhost to connect to work1, ssh -p 7778 localhost to connect to work2, etc.
- You can also redirect to other remote ports. For example, if
machine work accepted telnet connections (port 23), then
you could prepare the tunnel with:
ssh -l myuserid -L 7777:work:23 gate cat -and then just telnet to work with this command:
telnet localhost 7777The port numbers of usual network services can be found in file '/etc/services'.
- You can write a small script to setup the SSH tunnel for all connections you normally need and call that script automatically every time you connect from home to the Internet.
- You can define aliases for connections which you need very
often. For example, if you do (in a tcsh):
alias sshwork 'ssh -p 7777 localhost'then you can simply do things like:
sshwork uname -a
sshwork ps -ef
sshwork (to login)
- With some more complex aliases or shell scripts you can almost work
as with a direct connection. For example, if you do:
alias ssh \then you can do:
'set target=`echo \!^ | sed -e "s/work/-p 7777 localhost/g"` ; \
/usr/local/bin/ssh $target \!:2*'
ssh work ps -ef
- If you use the -v option for the ssh command which prepares the tunnel, then you can see in its output whenever a connection is established through the tunnel (and other debug messages).
Case 2: From a Windows PCThe working principle is the same as the Unix case described above.
Here is a detailed description (kindly contributed by Lutz U. Schäfer) of how to establish the tunnelling connection and how to configure various E-Mail programs to send and receive mail through the tunnel.