Comments Page - Visual guide to SSH tunneling and port forwarding (2023)

« Back Visual guide to SSH tunneling and port forwarding (2023)ittavern.comSubmitted by todsacerdoti 10 months ago

lamnguyenx 10 months ago

It's 2024! Please avoid writing SSH commands like that.

Instead, configure your ~/.ssh/config with LocalForward, RemoteForward, and ProxyJump. This can save you a significant amount of time, especially when using ssh, scp, or rsync to transfer data from a remote server that requires multiple intermediate SSH connections.

e.g:

    Host jump-host-1
        HostName jump1.example.com
        User your_username
        IdentityFile ~/.ssh/id_rsa

        Host jump-host-2
            HostName jump2.example.com
            User your_username
            IdentityFile ~/.ssh/id_rsa
            ProxyJump jump-host-1

            Host jump-host-3
                HostName jump3.example.com
                User your_username
                IdentityFile ~/.ssh/id_rsa
                ProxyJump jump-host-2

                Host target-server
                    HostName target.example.com
                    User your_username
                    IdentityFile ~/.ssh/id_rsa
                    ProxyJump jump-host-3
                    LocalForward 0.0.0.0:8080 0.0.0.0:80  
                    RemoteForward 0.0.0.0:9022 0.0.0.0:22

    # after this:
    # - you can ssh/scp/rsync to your target-server via an alias
    # - forward traffic FROM port 80 on your target-server to port 8080 on your local machine
    # - forward ssh requests TO port 9022 on your target-server to port 22 on your local machine
    # - remember, for LocalForward & RemoteForward : 
    #   + left is target-server
    #   + right is your local
    #   + use 0.0.0.0 instead of localhost or 127.0.0.1

_dan 10 months ago
SSH tunnelling is an utter necessity in the ridiculous corporate environment I work in. Incredible amounts of bureaucracy and sometimes weeks of waiting to get access to stuff, get ports opened, get some exception in their firewalls and vpn so someone can access a thing they need to do their job.
This guide mentions -D but doesn't really articulate quite how powerful it is if you don't know what it does.
ssh -D 8888 someserver, set your browser's SOCKS proxy to localhost:8888 (firefox still lets you set this without altering system defaults). Now all your browser's traffic is routed via someserver.
I find that to be incredibly useful.
theideaofcoffee 10 months ago
The filthiest SSH tunneling hack that I've ever done was at 3AM while in a three-way... datacenter connection. The interesting part of that, while the three facilities, spaced out over a single metro area had upstream transit connectivity to the rest of the net, only two pairs were able to reach the other due to some odd routing policies that weren't able to be resolved in time.
That meant that A could connect to B, and only B could connect to C. The data I had to move from facility A to facility C via B in the most ridiculous rsync+ssh tunnel+keys+routing shenanigan mashup I've ever done. It took a few tries to get the incantation exactly right, but it was magical seeing it all move as one.
Looking back it is super obvious how I'd do it now, but back then being green, was a huge accomplishment. I still remember the exhilaration when I confirmed everything was synced up.
1970-01-01 10 months ago
I love the extra detail in the visualizations. My wish is for networking to have much more visual representation of traffic, especially at lower level connections.
perakojotgenije 10 months ago
Shameless plug:
What to do when you want to ssh to your linux server or IoT device but they are behind the firewall and without a static IP? You can use a tunneling service like https://sshreach.me.
yownie 10 months ago
I've used tunneling quite a lot over the years but never knew about -J option.
What I'd really like is just some visual tool to configure my tunnels instead of spending 30 minutes very few months when I need to use a tunnel.
apitman 10 months ago
> TCP-over-TCP
> It lowers the throughput due to more overhead and increases the latency. On connections with packet loss or high latencies (e.x. satellite) it can cause a TCP meltdown.
This actually isn't a problem with SSH tunnels unless you're using TAP/TUN, because It unpacks and forwards the TCP streams. But you can still get reduced performance with multiple channels due to head of line blocking.
jwrallie 10 months ago
I learned how to use ssh tunnels when wanting to bypass a firewall in my university network around 15 years ago, had to change the default port to 443.
Been using it ever since for so much more than just bypassing firewalls.
lidder86 10 months ago
sshuttle go have a read much nicer for tunnelling... sshuttle -r user@host 10.0.0.0/8
Anything on 10/8 automatic tunnel it's pretty much a vpn over ssh
haolez 10 months ago
Kind of related, but I was wondering if there is some kind of redirect functionality in SSH itself. Something like:
- A wants to SSH into B
- B tells A that it must connect to C instead
- A transparently connects to C directly
- B is not a part of the critical data path anymore
Does something like this exist?
zaptheimpaler 10 months ago
I've found VS Code can setup port forwarding tunnels if you remote into a host and its been very useful. Its graphical, no command line incantations to remember and I usually have it running anyways.
asicsp 10 months ago
See also:
A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding https://iximiuz.com/en/posts/ssh-tunnels/
elwebmaster 10 months ago
Bookmarked, thank you.
undefined 10 months ago
[deleted]
apitman 10 months ago
SSH tunnels are an excellent tool, but nowadays you often want TLS and reverse proxy functionality built in. I maintain a list of such tools here: https://github.com/anderspitman/awesome-tunneling