Skip to main content

Fun with SSH Remote Port Forwarding

Prologue: Our Institute has several nice Dual Core Machines deployed for the students. Unfortunately the machines are behind a NAT with no port forwarded for external SSH access. Student's hostel is a bit far off from the computational centre. As such if someone felt the need of accessing the machines during non-office hours, it was a wee bit difficult. The sysadmin would not have agreed to forward any ports. Something had to be done....

SSH has a very useful feature - Remote and Local Port Forwarding. We have an old rickety PIII running Ubuntu 8.04.1 in the Hostel, it is connected to the net and is accessible via SSH from the internet. Using a tiny little shell script running on one of the machines in the Institute, I managed to make the old PIII an intermediate gateway for gaining SSH access to the Institute's machines from anywhere in the internet. The script is of few lines, but nevertheless powerful enough to serve our purpose.

while [ 1 ]; do
ssh -C -o ServerAliveInterval=30 -R 4321:localhost:22 serververhostname
echo Retrying

Let us analyse what this code does.
First of all serververhostname is the hostname of the PIII server. For example if resolves to the public ip of the PIII server, then would have been used instead of serververhostname.
The -C option requests compression of all data, to improve data transfer speed over slow connections.
The -o ServerAliveInterval=30 makes the SSH client send a keepalive packet at the application layer every 30s, this is to prevent a timeout, in case the connection is idle.
-R 4321:localhost:22 is the most important part. There is a SSH server running in the Institute's workstation, listening on port 22. "-R 4321:localhost:22" specifies that port 22 of localhost, i.e. of the institute's workstation is to be forwarded to port 4321 of the PIII, such that whenever a connection is made to the PIII on port 4321, the connection gets forwarded over the secure channel to port 22 of the Institute's Workstation.
The while loop ensures that the connection gets re-established if it breaks. You need to use a passphraseless RSA or DSA key for authentication instead of a password, otherwise the ssh client will wait for a password input.
Now suppose in the midst of the night I feel an urge to log in to the machine in my college, but I am (say even a few hundred or thousand miles :D) away from the computational centre, all I need to do is log in to the PIII server in the hostel using ssh from anywhere in the internet. Once I am in there, I issue the command: "ssh -l username localhost -p 4321". Though I am ssh-ing into port 4321 of localhost, effectively the connection is made to port 22 of the Institute's workstation, thanks to the previous ssh port forwarding. No need for persuading the sysadmin to make changes to the NAT or Institute's firewall.


rnoytt said…
woh sab thik hai hum kaise access kar sakte?
Anonymous said…
Have to join our LAN... :)

Popular posts from this blog

Making inactve USB Hard Disk spin down automatically in Linux.

I have a 400GB Seagate IDE HDD connected to Mars, our hostel's file-server using an USB enclosure. The USB enclosure is a cheap "Made in China" product. Consequently it has some special "features". One such notable "feature" is that the disk is kept spinning by the controller even if there has been no disk I/O for a long time. I have three other USB disks connected to the same machine, a 1TB Seagate FreeAgent Desk External Drive, a 500GB Maxtor Basics External Drive and a 2.5" 60GB Fujitsu SATA Disk inside a Transcend USB enclosure. All of these spin down themselves if there has been no I/O for sometime. Keeping the hard disk spinning unnecessarily for ever, not only wastes power but also overheats the drive, thereby reducing its life. I tried noflushd, which is supposed to force idle hard disks to spin down, but found it to be of no help. USB enclosure generally work by performing an SCSI emulation over USB. sdparm is an utility which can be use

Force an application to use VPN, using iptables in Linux

Enforcing an application, for example a torrent client like Transmission , to always use the VPN interface or any particular network interface for that matter, is trivially simple using iptables on Debian, Ubuntu or any other GNU/Linux distro. Personally, I am running Debian Sid on the Raspberry Pi . Occasionally I use it for downloading files ( legal stuff, seriously, believe me :D  ) using Transmission Bittorrent client over a VPN connection. Sometimes it happens that the VPN connection fails and doesn't reconnect for whatever reason and Transmission continues pulling stuff directly over my internet connection, which I would like to avoid. Fortunately it is very straightforward to enforce rules based on application owner UID. Transmission runs under the owner debian-transmission in Debian (use htop to check this) and the following two lines of iptables ensures that any process with owner having UID, debian-transmission , will not use any other network interface apart from the

Rendering LaTeX in Blogger.

Rendering LaTeX in Blogger is pretty easy thanks to the JavaScript LaTeX equation render engine from . To enable LaTeX rendering go to the Blogger Dashboard --> Layout --> Edit HTML . Then add the line <script> type="text/javascript" src=""></script> <script type="text/javascript" src=""></script> just before <body/> . Half the job is now done. Then, for example to render: \int_{0}^{\pi}\frac{x^{4}\left(1-x\right)^{4}}{1+x^{2}}dx =\frac{22}{7}-\pi Use the code: <pre lang="eq.latex"> \int_{0}^{1}\frac{x^{4}\left(1-x\right)^{4}}{1+x^{2}}dx =\frac{22}{7}-\pi </pre> The LaTeX code will now be displayed as: \int_{0}^{1}\frac{x^{4}\left(1-x\right)^{4}}{1+x^{2}}dx=\frac{22}{7}-\pi Ofcourse Javascript needs to be enabled in the Browser for the renderer to work.