It's 2024. Please avoid writing ssh command like that.
Try writing `~/.ssh/config` with `LocalForward`, `RemoteForward` and `ProxyJump` It saves you TONS of time! Especially you have to jump between multiple servers.
SSH tunnelling is an utter necessity in the ridiculous corporate environment I work in. Incredible amounts of bureaucracy and sometimes weeks of waiting to get access to stuff, get ports opened, get some exception in their firewalls and vpn so someone can access a thing they need to do their job.
This guide mentions -D but doesn't really articulate quite how powerful it is if you don't know what it does.
ssh -D 8888 someserver, set your browser's SOCKS proxy to localhost:8888 (firefox still lets you set this without altering system defaults). Now all your browser's traffic is routed via someserver.
I find that to be incredibly useful.
It isn't a good idea to circumvent corporate environment networks. they're there for a reason, and doing it shows a lack of professionalism and dis-respect for the organization process, procedures, and security. Yes it takes weeks/months to get access, then it takes weeks/months to get access. You don't want to be held liable for opening a backdoor to confidential information, or compromising their security.
Can you cite any examples of damage resulting from personal browsing over an SSH tunnel that the worker was held liable for?
I love the extra detail in the visualizations. My wish is for networking to have much more visual representation of traffic, especially at lower level connections.
Hi.. Check out the diagrams here: https://www.nathanhandy.blog/articles/osi-model-revisited.ht... .. obviously this is only a static conceptual representation. Most network vendors will have some form of visual representation of traffic, but it's tyipcally only discreet metrics / graphs.
That is a fantastic example. I will definitely try your HandyDash as well. We should have had the ability to see this detailed traffic breakdown 20 years ago.
I've found VS Code can setup port forwarding tunnels if you remote into a host and its been very useful. Its graphical, no command line incantations to remember and I usually have it running anyways.
Kind of related, but I was wondering if there is some kind of redirect functionality in SSH itself. Something like:
- A wants to SSH into B
- B tells A that it must connect to C instead
- A transparently connects to C directly
- B is not a part of the critical data path anymore
Does something like this exist?
B could port forward (as in route packets?) to C, but I don't think there are any HTTP Permanent Redirect equivalents, no.
Maybe you can explain the problem more and perhaps there's a more suitable solution?
If you have a host that's somewhat embedded, you can have DNS handle the "routing" for you. You will have to handle fingerprint verification.
It would be misleading if A doesn't know that the real target is C.
Otherwise you can use jump functionality
From A:
ssh -J B C
If B doesn't need to be part of the path, just connect to C directly if it's doable. If it's not, then B will have to be a hop either way.I think you could do that with a virtual IP. For some reason my firewall/router doesn't communicate DHCP option 67 correctly, it sends its own address no matter what I do so I had to set up a a virtual IP/rule to route all PXE boot traffic on whatever port that is going to the routers IP, over to the real PXE boot server instead.
I learned how to use ssh tunnels when wanting to bypass a firewall in my university network around 15 years ago, had to change the default port to 443.
Been using it ever since for so much more than just bypassing firewalls.
What purpose have you enjoyed it for beyond bypassing firewalls and exposing local services across a network?
In essence it is what you mentioned, these are a few practical uses:
- Streaming region locked content from overseas.
- Permanent reverse-tunnel for remote-access with autossh.
- Increased security compared to making services visible to the internet.
- Downloading scientific articles using my university's connection as a proxy.
I use it for proxying general internet traffic (such as from your web browser) using the SOCKS5 proxy described in the article. Combined with FoxyProxy or similar it's nice if you want certain traffic (such as to a certain domain which only allows certain IP blocks) to flow from a certain host based on things like the domain.
Bookmarked, thank you.