Tunnels
Local Port Forwarding (-L)
| Flag | Meaning |
|---|---|
-L |
Local port forwarding. |
-N |
Don’t get a shell in the remote host. |
-f |
Send ssh to the background. Don’t hang our terminal. |
Note: Tunnels created with ‘ssh -N -f -L […]’ will have to be killed to stop them:
_$: sudo pkill -f 'ssh -N -f'
Remote Port Forwarding (-R)
| Flag | Meaning |
|---|---|
-R |
Remote port forwarding. |
-N |
Don’t get a shell in the remote host. |
-f |
Send ssh to the background. Don’t hang our terminal. |
Note: Tunnels created with ‘ssh -N -f -R […]’ will have to be killed to stop them:
_$: sudo pkill -f 'ssh -N -f'
Example 1
Connect to a host that it is not in your network via said host’s gateway
from: local machine (192.168.122.1)
to: 10.10.10.3
via: gateway (192.168.122.77 | 10.10.10.1)
user@local: ssh -L 22003:10.10.10.3:22 user2@192.168.22.77 # connects to gateway
user@local: ssh -p 22003 user2@localhost # connects to 10.10.10.3
Example 2
Connect to PostgreSQL in a host in your network
from: local machine (192.168.1.126)
to: 192.168.1.196
via: local machine (192.168.1.126 | localhost)
user@local: ssh -L 5555:localhost:5432 root@192.168.1.196
Example 3.1
Connect to a web page at port 8443 in a host in your network
from: local machine (192.168.1.126)
to: 192.168.1.193
via: local machine (192.168.1.126 | localhost)
user@local: ssh -L 8000:localhost:8443 root@192.168.1.193
Going to http://127.0.0.1:8000 will take you to http://192.168.1.193:8443.
Example 3.2
Connect to a grafana web page at port 3000 in a host in your (virtual private) network
from: local machine (10.200.0.16)
to: 10.200.0.110
via: local_machine (10.200.0.16 | localhost)
user@local: ssh -L 3000:localhost:3000 user@10.200.0.110
Going to http://localhost:3000 will take you to http://10.200.0.110:3000.
Example 4
Connect to a mail administration web page at port 8444 in a host
from: local machine (localhost)
to: mail.example.com
user@local: ssh -L 8444:localhost:8444 user@mail.example.com
Going to http://localhost:8444 will take you to http://mail.example.com:8444.
Example 5.1
Access to a web page (port 80) through a proxy
If there are multiple web pages in that server, you will need to modify
your /etc/hosts file making 127.0.0.1 point to example.com.
Note: Resources external to that web page (i.e. Google analytics) will not be loaded.
from: local machine
to: example.com
via: proxy (82.223.1.2)
user@local: ssh -L 8080:example.com:80 user@proxy
Going to http://localhost:8080 will take you to http://example.com:80.
Example 5.2
Access to a zabbix web page (port 443) through a proxy
The web page is visible from the proxy: port 443 is open to the proxy server. We will use the VPN to access the proxy.
from: local machine
to: zabbix.example.com
via: proxy (10.200.0.1)
user@local: ssh -L 8080:zabbix.example.com:443 user@10.200.0.1
Going to https://localhost:8080 will take you to https://zabbix.example.com:443.
Example 6.1
Connect to a host that is not in your network via another host that is not in your network either
from: local machine (192.168.1.126)
to: devops1 (82.223.1.1)
via: proxy (82.223.1.2)
user@local: ssh -A -t proxy ssh -A -t devops1
Or:
.ssh/config:
------------
Host proxy
Hostname 82.223.1.1
Host devops1_tun
ProxyCommand ssh -W %h:%p user@proxy
Example 6.2
Connect to a host that is not in your network via another host that is not in your network either
from: local machine (192.168.1.126)
to: zabbix.example.com (82.223.1.18)
via: proxy (82.223.1.2)
user@local: ssh-copy-id -i /home/user/.ssh/id_rsa.pub user@proxy
user@local: ssh -o ProxyCommand="ssh -W %h:%p -q user@proxy" -i /home/user/.ssh/id_rsa.pub user@zabbix.example.com
If we don’t copy the public key, it will ask the password for user@proxy
and for user@zabbix.example.com.
If we copy the public key, it will only ask the password for user@zabbix.example.com.
Example 7
Copy a file to a host that is not in your network via localhost from another host that is not in your network either.
You must be able to login to the
You must be able to login to the
from: remote_1 (82.223.1.81)
to: remote_2 (82.223.1.82)
via: local machine (192.168.1.16)
# <remote_1> <remote_2>
user@local: ssh -A -t user@82.223.1.81 scp /tmp/database.sql user@82.223.1.82:/tmp