Ssh Setup a SSH Tunnel

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

OpenSSH can be used to tunnel traffic from the local host to a remote host you have an account on. For ssh tunneling concepts, see:

OpenSSH Concepts - Tunneling

Setting a Tunnel from a Local Port to a Port on a Remote Host

ssh -f -N [-p <remote-host-ssh-port>] [-i <identity-file>] \
  [remote-host-ssh-user]@<remote-host-address> \
  -L <local-port>:<remote-host-interface-to-forward-to>:<port-on-remote-host-to-forward-to>

Options:

-f

The "-f" option tells ssh to go to background.

-N

The "-N" option tells ssh to NOT execute any command on the remote system. If "-N" is omitted, the ssh tunnel will establish AND login.

-L

The "-L" option specifies the tunnel details (local port, remote host interface, remote port, as described below).

Other Arguments

The meaning of other arguments is the following:

  • -p <remote-host-ssh-port> may be used to specify a non-standard SSH port, if the SSH daemon on the remote host was configured to listen on a port other than 22.
  • -i <identity-file> may be used to specify a non-standard identity file, or the identity file for the remote user the connection is made for, if different from the local UNIX user that executes the command.
  • remote-host-ssh-user the user on the remote system the SSH connection is made on behalf of. IF missing, the UNIX user executing the command is implied.
  • remote-host-address the address of the remote system that runs the sshd daemon.
  • local-port the local port for which incoming traffic will be forwarded over the tunnel
  • remote-host-interface-to-forward-to the interface on the remote host traffic arriving over the tunnel will be forwarded to. A good choice is 127.0.0.1, if the service we want to forward to listen on that interface. If we forward to 127.0.0.1, iptables will usually allow the forwarded traffic, as iptables is commonly configured to allow local traffic.
  • port-on-remote-host-to-forward-to the port on the remote-host-interface-to-forward-to to forward traffic arriving on the tunnel to.

Exit of Forward Failure

If the "ExitOnForwardFailure" configuration option is set to "yes"', then a client started with -f will wait for all remote port forwards to be successfully established before placing itself in the background, or will exit with a non-zero exit code otherwise. 

-o ExitOnForwardFailure=yes

Connection Keep-Alive

-o TCPKeepAlive=yes
-o ServerAliveInterval=30

Example

ssh -f -N -p 2022 -i /home/bob/.ssh/id_rsa bob@bobshost.com -L 873:127.0.0.1:873
Retrieved from "https://kb.novaordis.com/index.php?title=Ssh_Setup_a_SSH_Tunnel&oldid=77767"