D A V I D M A D D I S O N
Using an SSH Tunnel

Introduction

Most companies use a secure VPN to gain remote access to the internal network, and for the most part this all works fine. The problem comes when you need to use a Linux machine to access the internal network, and there's no Linux VPN client avaliable

With this in mind, I present here a way to use SSH in order to create a 'Reverse Tunnel' from inside the network to a machine outside the network.

In these code examples <INTERNAL> refers to a server inside the protected network, and <EXTERNAL> refers to a server outside the network.

The SSH Command

From the <INTERNAL> server, you use the following command, which connects to the <EXTERNAL> server.

         ssh -fN -l [user] -R 1234:localhost:22 -p [<EXTERNAL>port] [<EXTERNAL>Address]

Once SSH has connected and authenticated to the <EXTERNAL> server it sets up a proxy on that machine. In this case it sets up a proxy to channel all traffic from port 1234 on the <EXTERNAL> server to port 22 on the <INTERNAL> server.

Logging In

Once the proxy as been set up, all I have to do on the <EXTERNAL> server is use the command:

        ssh -p 1234 localhost

This will, in effect, connect me to port 22 on the <INTERNAL> server, which of course is the SSH daemon port. At this point you'll be challenged with the usual Username/Password, and then logged onto the server as if you'd connected directly

Accessing Other Internal Servers

Of course just connecting to the SSH port is very useful, but there are other uses for this technique, such as accessing internal WebServers.

In order to access other servers you simply setup the proxy to channel traffic from an external port through the <INTERNAL> server and out to another internal server.

For example, the following command will set up a proxy on the <EXTERNAL> server to channel traffic from port 8080 through the <INTERNAL> server to port 80 of an internal WebServer:

	ssh -fN -l [user] -R 8080:<INTERNAL_WEBSERVER_ADDRESS>:80 -p [<EXTERNAL>port] [<EXTERNAL>Address]

On the <EXTERNAL> server the URL http://localhost:8080/ would display the website from <INTERNAL_WEBSERVER_ADDRESS>:80.

When using this method, sometimes the web page links will contain the webservers hostname which of course the <EXTERNAL> server won't be able to resolve. In order to get around this you can modify your /etc/hosts file to map the servers hostname to localhost
Comments:

Post a comment:
Name: *
email: *
url:
Comment
 
 
- BEA Weblogic Workshop
- ColdFusion
- Flex
- Other Stuff
 
- BEA Workshop
- FREE Workshop Licenses

- Macromedia Flex
- Macromedia ColdFusion

- UK CFUG Blog Aggregator