Skip to main content

Fun with SSH Remote Port Forwarding

Prologue: Our Institute has several nice Dual Core Machines deployed for the students. Unfortunately the machines are behind a NAT with no port forwarded for external SSH access. Student's hostel is a bit far off from the computational centre. As such if someone felt the need of accessing the machines during non-office hours, it was a wee bit difficult. The sysadmin would not have agreed to forward any ports. Something had to be done....

SSH has a very useful feature - Remote and Local Port Forwarding. We have an old rickety PIII running Ubuntu 8.04.1 in the Hostel, it is connected to the net and is accessible via SSH from the internet. Using a tiny little shell script running on one of the machines in the Institute, I managed to make the old PIII an intermediate gateway for gaining SSH access to the Institute's machines from anywhere in the internet. The script is of few lines, but nevertheless powerful enough to serve our purpose.

#!/bin/bash
while [ 1 ]; do
ssh -C -o ServerAliveInterval=30 -R 4321:localhost:22 serververhostname
echo Retrying
done

Let us analyse what this code does.
First of all serververhostname is the hostname of the PIII server. For example if www.example.com resolves to the public ip of the PIII server, then www.example.com would have been used instead of serververhostname.
The -C option requests compression of all data, to improve data transfer speed over slow connections.
The -o ServerAliveInterval=30 makes the SSH client send a keepalive packet at the application layer every 30s, this is to prevent a timeout, in case the connection is idle.
-R 4321:localhost:22 is the most important part. There is a SSH server running in the Institute's workstation, listening on port 22. "-R 4321:localhost:22" specifies that port 22 of localhost, i.e. of the institute's workstation is to be forwarded to port 4321 of the PIII, such that whenever a connection is made to the PIII on port 4321, the connection gets forwarded over the secure channel to port 22 of the Institute's Workstation.
The while loop ensures that the connection gets re-established if it breaks. You need to use a passphraseless RSA or DSA key for authentication instead of a password, otherwise the ssh client will wait for a password input.
Now suppose in the midst of the night I feel an urge to log in to the machine in my college, but I am (say even a few hundred or thousand miles :D) away from the computational centre, all I need to do is log in to the PIII server in the hostel using ssh from anywhere in the internet. Once I am in there, I issue the command: "ssh -l username localhost -p 4321". Though I am ssh-ing into port 4321 of localhost, effectively the connection is made to port 22 of the Institute's workstation, thanks to the previous ssh port forwarding. No need for persuading the sysadmin to make changes to the NAT or Institute's firewall.

Comments

cosmos delight said…
woh sab thik hai hum kaise access kar sakte?
Anonymous said…
Have to join our LAN... :)

Popular posts from this blog

Force an application to use VPN, using iptables in Linux

Enforcing an application, for example a torrent client like Transmission, to always use the VPN interface or any particular network interface for that matter, is trivially simple using iptables on Debian, Ubuntu or any other GNU/Linux distro.
Personally, I am running Debian Sid on the Raspberry Pi. Occasionally I use it for downloading files ( legal stuff, seriously, believe me :D  ) using Transmission Bittorrent client over a VPN connection. Sometimes it happens that the VPN connection fails and doesn't reconnect for whatever reason and Transmission continues pulling stuff directly over my internet connection, which I would like to avoid. Fortunately it is very straightforward to enforce rules based on application owner UID. Transmission runs under the owner debian-transmission in Debian (use htop to check this) and the following two lines of iptables ensures that any process with owner having UID, debian-transmission, will not use any other network interface apart from the Open…

Some more fun with SSH port forwarding and socks proxy

Few days ago I made the following post:

Prologue: Our Institute has several nice Dual Core Machines deployed for the students. Unfortunately the machines are behind a NAT with no port forwarded for external SSH access. Student's hostel is a bit far off from the computational centre. As such if someone felt the need of accessing the machines during non-office hours, it was a wee bit difficult. The sysadmin would not have agreed to forward any ports. Something had to be done....

SSH has a very useful feature - Remote and Local Port Forwarding. We have an old rickety PIII running Ubuntu 8.04.1 in the Hostel, it is connected to the net and is accessible via SSH from the internet. Using a tiny little shell script running on one of the machines in the Institute, I managed to make the old PIII an intermediate gateway for gaining SSH access to the Institute's machines from anywhere in the internet. The script is of few lines, but nevertheless powerful enough to serve our purpose.

#!/bin/…

Raspberry Pi -- Installing Samba (Windows Share) File server

Having successfully run Debian Wheezy on my Raspberry Pi, I went forward with my initial idea of setting up a low cost power efficient file server for accessing my external hard disks from my Windows7 desktop, HP-Mini running Ubuntu and Mac Mini running OS X Lion (yeah I do like bragging about my machines :D ).

This turned out to be pretty straight forward.

As expected, the external Seagate USB disk immediately got recognized and appeared as /dev/sda
[ 579.948350] usb 1-1.2: New USB device found, idVendor=0bc2, idProduct=3001 [ 579.948384] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 579.948405] usb 1-1.2: Product: FreeAgent [ 579.948421] usb 1-1.2: Manufacturer: Seagate [ 579.948447] usb 1-1.2: SerialNumber: 2GEX323R [ 579.967638] scsi0 : usb-storage 1-1.2:1.0 [ 580.970520] scsi 0:0:0:0: Direct-Access Seagate FreeAgent 102D PQ: 0 ANSI: 4 [ 589.142942] sd 0:0:0:0: [sda] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB) [ 589.144669] sd…