SSH – Understanding SSH Tunneling and Port Forwarding

sshssh-tunnel

I ask you to help me establish tunnels to meet the following needs:

There is server LocalTest, on which I am root, so I can do anything (Debian SSH). This server is enabled to access (IP filtering is present on the other party) port 443 a server which we can call WebserviceServer. I want to enable person who can not open SSH to localtest to reach WebserviceServer:443. So I need to open a server port on Localtest (for example 10000), and forward all content to WebserviceServer:443. This is the first task.

The second task is, that on a specific port LocalTest is listening as web service server (8099). I need to forward it time by time to the port of different workstations for testing reasons. So all traffic and connection coming to LocalTest:8099 needs to be forwarded to somestation(call it John):someport(5000).

Could you help me with the ssh commands I need to issue on Localtest to meet the needs?

Best Answer

Both of your problems don't sound to me like ssh tunnelling would be the best solution.

but still here are some of the ideas I came up with to achieve these goals:

Problem 1: using LocalTest as a reverse proxy for WebserviceServer

localtest:~ $ ssh -L *:10000:webserviceserver:443 localhost

make sure you allow "GatewayPorts" and "AllowTcpForwarding" in /etc/ssh/sshd_config on LocalTest and sshd is restarted.

Explanation

this opens up a connection from localtest to it self and at the same time creates a tunnel listening on port 10000 on all interfaces of localtest redirecting traffic to webserviceserver port 443

Problem 2: redirecting traffic to test workstations

with ssh this is actually the same as Problem 1

localtest:~ $ ssh -L *:8099:somestation1:5000 localhost

if you want to connect to another Test Workstation simply quit the first connection and use something like

localtest:~ $ ssh -L *:8099:somestation2:5002 localhost

Explanation

as it is basically the same solution as with problem 1 it has also the same explanation (just different hosts and ports :-) )

some thoughts

Keep in mind that both of the previous solutions open up the target systems (webserviceserver, somestationX) to anyone with access to LocalTest

And as I mentioned in the beginning I don't think ssh is the right tool to do this for a few reasons. Some of them being:

  • with ssh you can only tunnel tcp traffic easily
  • ssh is rarely the best solution for permanent tunnels
  • Problem 1 sounds more like a case for a reverse proxy to me (or iptables as mentioned by others)
  • Problem 2 definitely sounds like a case for iptables to me

I'd personally setup a simple script for the second problem which allows you to reset the iptables rules for each test system you want to use, something like

localtest:~ # reset_target somestation

such a script would have to delete an old redirect (to another test workstation) in iptables and then setup the new one. I'm not quite fluent with the iptables syntax at the moment and so I can't provide such a script right away but I'm sure somebody here could help you out with something like that if needed.

Related Topic