================================================================================ Local forwarding ================================================================================ Purpose: Set up a tunnel to a shell server and use the tunnel to send traffic to a second server. Both servers are on a trusted internal network where sniffing not a problem, and SSH encryption secures the public link from the local client to the firewalled network. This method is used to tunnel a SINGLE port to a SINGLE destination server. intranet | | Internet _____________ | | _____________ Diagram: | | | | | | | shellserver |=======<<<===============| localhost | |_____________| | | |_____________| | |F| | |I| | |R| ______|______ |E| | | |W| | application | |A| | server | |L| |_____________| |L| | | Legend: | Unencrypted intranet traffic || Firewall < Inbound SSH access allowed by firewall = SSH tunnel Example: We want to check a web page on an internal web server, but we don't have direct access to that server. We need to use local forwarding and tunnel through our shellserver. 1) Set up the tunnel: ssh -L 8080:webserver:80 shellserver a) SSH client opens and listens to port 8080 on localhost 2) Connect with web browser to: http://localhost:8080 a) Browser connects to localhost:8080 b) SSH client tunnels request to SSH server on shellserver c) shellserver connects to webserver:80 3) Use tunnel a) When localhost sends data to webserver i) localhost encrypts data to shellserver ii) shellserver decrypts data from localhost iii) shellserver sends cleartext data to webserver b) When webserver sends data back to localhost i) webserver sends cleartext data to shellserver ii) shellserver encrypts data to localhost iii) shellserver sends encrypted data to localhost 4) Tunneled web session ends when... a) Either localhost or webserver closes the tunneled web connection b) The SSH tunnel itself is closed ================================================================================ Remote Forwarding ================================================================================ Purpose: Set up a tunnel from a firewalled machine to an external host (e.g. a home computer) for later access through the firewall to the firewalled machine. This effectively defeats the firewall by trusting an Internet host to access the firewalled machine. This method allows a SINGLE external host to access the firewalled machine on a SINGLE port. intranet | | Internet _____________ | | _____________ Diagram: | |=======>>>===============| | | firewalled | ', | | ,' | external | |_____________| '..<<<......' |_____________| | | Legend: || Firewall > Outbound SSH access allowed by firewall = SSH tunnel < Inbound SSH access allowed by tunnel . SSH traffic through tunnel Example: We want to access our work machine from home, but the firewall does not allow remote access. We can set up a tunnel from our work machine, and then use it from home. 1) From work, set up tunnel to home: [workuser@work ~]$ ssh -R 2222:localhost:22 home a) home's SSH server opens and listens to port 2222 on localhost 2) From home, connect to work by: [homeuser@home ~]$ ssh -p 2222 workuser@localhost a) SSH client on home connects to home:2222 via loopback b) SSH makes tunneled connection to work:22 c) SSH client authenticates as workuser on work:22 3) Use tunnel: All traffic is encrypted and passed through tunnel. 4) Tunneled SSH session ends when... a) Either home or work closes the tunneled SSH connection b) The SSH tunnel itself is closed ================================================================================ SOCKS Proxying ================================================================================ Purpose: Set up an encrypted tunnel. SOCKS-capable clients connect to this proxy, and their requests are forwarded to the remote shellserver where they are dispatched. This method is used to tunnel MULTIPLE protocols and ports to MULTIPLE destinations through a SINGLE remote proxy. DNS traffic is generally not passed through the tunnel, so DNS queries can be sniffed on the local network unless they are tunneled as well. intranet | | Internet _____________ | | _____________ Diagram: | | | | | | | localhost |=======>>>===============| shellserver | |_____________| | | |_____________| | | /|\ |F| / | \ |I| / | \ |R| / | \ |E| / | \ |W| __/__ __|__ __\__ ..... |A| | | | | ' |L| | Web |Email| AIM | etc ' |L| |_____|_____|_____|.....' | | Legend: /|\ Internet traffic || Firewall > Outbound SSH access allowed by firewall = SSH tunnel Example: A strict firewall policy has blocked access to several outside services but outbound SSH is still allowed. We can set up a SOCKS proxy to allow proxied access to the blocked services. 1) Set up the tunnel on local machine: ssh -D 8080 shellserver 2) Configure the SOCKS-capable local clients to use the proxy on the localhost on port 8080. 3) Traffic by software configured to use the proxy will be sent through the SSH tunnel. ================================================================================ Suggested Optional Flags to SSH ================================================================================ -f Sends SSH to the background after authentication -N Tells SSH to just do forwarding (do not execute a remote command) -C Enables compression