[arch-general] SSH Tunnel doubts

C Anthony Risinger anthony at xtfx.me
Tue Jul 19 11:53:12 EDT 2011 

On Mon, Jul 18, 2011 at 3:03 PM, David J. Haines <dhaines at gmail.com> wrote:
>
> ....
> ssh -L X:host1:Y host2 means open a connection to host2, including shell,
> and forward anything sent to localhost on port X to host1 on port Y. Host1
> and host2 can be the same machine.

... and to briefly expand, it's good to note the behavior when
host1/host2 are not the same machine.  for example, i use something
like the following to access the webpanel of a backup server (only
available on a remote private subnet):

ssh -CNAfc arcfour -L localhost:1180:10.20.0.75:80 anthonyr at bridge03

... this says:

) connect to bridge03
) setup a "relay" of sorts (no port is allocated)
) when i connect to port 1180 on my workstation ...
) ... bridge03 relays the connection to 10.20.0.75, port 80

... so in effect i am only rebounding off the machine i connected to,
using it only as a way to get access to the private subnet.

also, note that the "host" and "hostport" is from the REMOTE's
prespective ... not your own!!  this is a great source of confusion at
first.  example ... i use the following whenever my fiancé has CUPS
issues (a lot ...) to connect to her when i'm at work (this is also
over a layer2 openvpn but that doesn't matter):

ssh -CNAfc arcfour -L localhost:1631:localhost:631 emily at 10.10.210.10

... which says:

) connect to 10.10.210.10
) when i connect to port 1631 on my workstation ...
) ... 10.10.210.10 relays the connection to LOCALHOST port 631

... NOTE how both "bind_address" AND "host" are localhost ... because
they are from the perspective of EACH endpoint, not just your's.

other examples i use regularly (near verbatim from history log --
names changed to protect the innocent :-):

# make MySQL available locally via port 3307 (nice for using a local
query browser or schema explorer)
ssh -CNAfc arcfour -L localhost:3307:localhost:3306 anthonyr at shared001

# make connections to local port 2222 turn into regular SSH
connections to a different host than you connected to (SSH relay)
ssh -CNAfc arcfour -L localhost:2222:10.20.23.30:22 anthonyr at fma001

# same purposeas the first example two up, but this host (zimm001)
runs SSH on port 7777 vs. 22
ssh -p7777 -L localhost:3307:localhost:3306 anthonyr at zimm001

... so very useful :-) ... and if your wondering the common options i
use for everything:

-C
    compress the stream

-N
    do not execute a command (port forward only)

-A
    forward your agent socket (only needed if you need it available on
the remote host -- use with care -- see manpage)

-f
    put ssh into the background after receiving pass [if required] and
just before it would execute a remote command

-c arcfour
    use the arcfour cipher (weakest) instead of AES (strongest) this
makes a HUGE HUGE difference in bandwidth/overhead (sshfs/FUSE, MySQL
forwarding, etc)

... that should give you an even better understanding i hope :-)

C Anthony

More information about the arch-general mailing list