RCS::Intro Linux and HPC::Editors



Page Contents:


Page Group







Using SSH for Portforwarding

1. 

Local Forwarding Part 1

What:
  • Forward a port on your localhost (i.e., SSH client) to a port on a remote host through an SSH server.
  ssh -L port:host:hostport user@sshserver
      # 
      # -- "port" refers to the (local) port on the (local) SSH client.
      # -- "host" and "hostport" refer to the remote host.
      #
Examples:
  • Set up a tunnel through a gateway machine, e.g, from outside a business/campus into business/campus machines.
  • Connecting directly to an HPC cluster compute node.
  • Secure proxying, e.g., use a remote Web proxy to workaround local blocks.
  • Securing VNC.

1.1. 

Notes

1.2. 

Example: Tunnelling Through a Gateway Machine

Set up a tunnel from outside a business/campus, through a gateway machine, into your business/campus office desktop machine:

  ssh -L 2222:officedesktop.machine.net:22  myuserid@my.gateway.net  [cat -]
  myuserid@my.gateway.net's password:
      #
      # ...forwards port 2222 on local machine to port 22 on officedesktop.machine.net
      #    through my.gateway.net...
      #
      # ...the optional "cat -", or any other non-terminating command, is simply 
      #    to keep the connection open --- omitting this opens a commandline 
      #    shell, which requires a controlling terminal...
      #
then
  outside> ssh -p 2222 localhost 
  simonh@localhost's password: 
      # ...this is confusing --- actually officedesktop's password...
  officedesktop>

1.3. 

Example: Connecting Directly to an HPC Cluster Compute Node

Suppose you want to connect from your desktop machine directly to a process which is listening on a compute node:

  ssh -L 2222:node043:4567  myuserid@hpc.cluster.org  [cat -]
  myuserid@hpc.cluster.org's password:
      #
      # ...forwards port 2222 on local machine to port 4567 on node043 
      #    through the login node (hpc.cluster.org)...
      #
      # ...the optional "cat -", or any other non-terminating command, is simply 
      #    to keep the connection open --- omitting this opens a commandline 
      #    shell, which requires a controlling terminal...
      #
then
  outside> ssh -p 2222 localhost 
  simonh@localhost's password: 
      # ...this is confusing --- actually node043's password...
  node043>

1.4. 

Example: Secure Proxying

Suppose you work at a company which has blocked Web access to Facebook in an attempt to ensure that the "social" networking site is not used by those who should be working. Simply select a SSH gateway and a Web proxy outside of The Company and all is well:

  ssh -L 3128:proxy.net:3128 username@ssh.gateway.net
  username@ssh.gateway.net's password:
then point your browser at proxy localhost:3128 to access Facebook.

1.5. 

Example: Tunnelling VNC

Assume the SSH server and VNC server are the same host:

  local> ssh -C -L 5901:localhost:5902 -N -f simonh@man2e.nw-grid.ac.uk
any references to display :1 on your local machine would actually connect to display :2 on man2e.nw-grid.ac.uk.



2. 

Local Forwarding Part 2

  ssh -L bind_address:port:host:hostport user@hostname 

  ssh -g -L :port:host:hostport user@hostname 



3. 

Enabling SSH Access to a Host Behing a NATting Firewall

  nattedhost> ssh -R 19999:localhost:22 sourceuser@my.publicinternet.server.org
      #
      # ... ...
      #
then
  publichost> ssh -p 19999 localhost
      #
      # ...
      #