Tunnelling SSH though a firewall with ssh -LMartin Tournoij <firstname.lastname@example.org>
Created on 2010-12-13, last updated on 2010-12-14
Here’s a little tip on how to tunnel ssh through another machine with the
-L option. While not terribly difficult, I did spend some time figuring this out… Maybe this will save someone else some time ;-)
The network setup (simplified):
[ Workstation ] | | [ Firewall ] | | ~ The Internet ~ | | [Public webserver]
The problem is connecting to public webserver from my workstation, first I had to ssh or sftp to the Linux firewall, and from that machine I could connect to to the webserver.
There has to be an easier way… And a look at the SSH manpage provided the answer: The
Excerpt from From
-L [bind_address:]port:host:hostport Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address.
Let me just give you an example on how to create the tunnel:
$ ssh -f -N -p 22 username@firewall -L 2844/webserver.example.com/22
To briefly explain what the other options mean:
-fRuns the tunnel in the background.
-NDon’t execute a login command, just setup the tunnel.
-pConnect to the firewall on port 22
You can now connect with ssh, sftp, or scp through
$ ssh -p 2844 myusername@localhost $ scp -P 2844 file.tar.gz myusername@localhost:file.tar.gz
For debugging, don’t forget you can specify
-v up to three times to get more information about what’s going on. In addition, it’s probably best to test with
telnet since this excludes things like authentication problems.
$ telnet localhost 2844 Trying ::1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
If you don’t see the last line, something is wrong.
Bonus tip ¶
As a free complimentary bonus tip, it’s also very easy to setup a convenient shortcut in
Host webserver Hostname localhost Port 2844 User myusername
Further reading ¶
Over at the FreeBSD Forums, Freddie pointed out a clever way to accomplish the same thing using netcat and the ProxyCommand option