« BackVisual guide to SSH tunneling and port forwardingittavern.comSubmitted by todsacerdoti 3 hours ago
  • lamnguyenx 6 minutes ago

    It's 2024. Please avoid writing ssh command like that.

    Try writing `~/.ssh/config` with `LocalForward`, `RemoteForward` and `ProxyJump` It saves you TONS of time! Especially you have to jump between multiple servers.

    • _dan 40 minutes ago

      SSH tunnelling is an utter necessity in the ridiculous corporate environment I work in. Incredible amounts of bureaucracy and sometimes weeks of waiting to get access to stuff, get ports opened, get some exception in their firewalls and vpn so someone can access a thing they need to do their job.

      This guide mentions -D but doesn't really articulate quite how powerful it is if you don't know what it does.

      ssh -D 8888 someserver, set your browser's SOCKS proxy to localhost:8888 (firefox still lets you set this without altering system defaults). Now all your browser's traffic is routed via someserver.

      I find that to be incredibly useful.

      • hackit2 30 minutes ago

        It isn't a good idea to circumvent corporate environment networks. they're there for a reason, and doing it shows a lack of professionalism and dis-respect for the organization process, procedures, and security. Yes it takes weeks/months to get access, then it takes weeks/months to get access. You don't want to be held liable for opening a backdoor to confidential information, or compromising their security.

        • FroshKiller 23 minutes ago

          Can you cite any examples of damage resulting from personal browsing over an SSH tunnel that the worker was held liable for?

      • 1970-01-01 an hour ago

        I love the extra detail in the visualizations. My wish is for networking to have much more visual representation of traffic, especially at lower level connections.

        • 0nate an hour ago

          Hi.. Check out the diagrams here: https://www.nathanhandy.blog/articles/osi-model-revisited.ht... .. obviously this is only a static conceptual representation. Most network vendors will have some form of visual representation of traffic, but it's tyipcally only discreet metrics / graphs.

          • 1970-01-01 17 minutes ago

            That is a fantastic example. I will definitely try your HandyDash as well. We should have had the ability to see this detailed traffic breakdown 20 years ago.

        • zaptheimpaler 2 hours ago

          I've found VS Code can setup port forwarding tunnels if you remote into a host and its been very useful. Its graphical, no command line incantations to remember and I usually have it running anyways.

          • haolez 2 hours ago

            Kind of related, but I was wondering if there is some kind of redirect functionality in SSH itself. Something like:

            - A wants to SSH into B

            - B tells A that it must connect to C instead

            - A transparently connects to C directly

            - B is not a part of the critical data path anymore

            Does something like this exist?

            • lytedev an hour ago

              B could port forward (as in route packets?) to C, but I don't think there are any HTTP Permanent Redirect equivalents, no.

              Maybe you can explain the problem more and perhaps there's a more suitable solution?

              If you have a host that's somewhat embedded, you can have DNS handle the "routing" for you. You will have to handle fingerprint verification.

              • shmerl an hour ago

                It would be misleading if A doesn't know that the real target is C.

                Otherwise you can use jump functionality

                From A:

                    ssh -J B C
                If B doesn't need to be part of the path, just connect to C directly if it's doable. If it's not, then B will have to be a hop either way.
                • bongodongobob an hour ago

                  I think you could do that with a virtual IP. For some reason my firewall/router doesn't communicate DHCP option 67 correctly, it sends its own address no matter what I do so I had to set up a a virtual IP/rule to route all PXE boot traffic on whatever port that is going to the routers IP, over to the real PXE boot server instead.

                • jwrallie 2 hours ago

                  I learned how to use ssh tunnels when wanting to bypass a firewall in my university network around 15 years ago, had to change the default port to 443.

                  Been using it ever since for so much more than just bypassing firewalls.

                  • metadat 2 hours ago

                    What purpose have you enjoyed it for beyond bypassing firewalls and exposing local services across a network?

                    • jwrallie 35 minutes ago

                      In essence it is what you mentioned, these are a few practical uses:

                      - Streaming region locked content from overseas.

                      - Permanent reverse-tunnel for remote-access with autossh.

                      - Increased security compared to making services visible to the internet.

                      - Downloading scientific articles using my university's connection as a proxy.

                      • lytedev an hour ago

                        I use it for proxying general internet traffic (such as from your web browser) using the SOCKS5 proxy described in the article. Combined with FoxyProxy or similar it's nice if you want certain traffic (such as to a certain domain which only allows certain IP blocks) to flow from a certain host based on things like the domain.

                    • elwebmaster 2 hours ago

                      Bookmarked, thank you.