In my last article I had shared the steps to Restrict Root User To Access Or Modify A File And Directory In Linux. In this article I will continue with topics related to security by an article on SSH Port Forwarding or Tunneling.

How to configure SSH port forwarding or tunneling in Linux

SSH port forwarding or tunneling allows you to forward otherwise unsecure TCP traffic inside a secure SSH tunnel. Protocols such as FTP, POP3, SMTP, HTTP, TELNET, and others can all be forwarded inside this SSH tunnel providing increased security features such as encryption and authentication that may not otherwise be supported.

How to configure SSH port forwarding or tunneling in Linux

There are two types of port forwarding mechanisms: Local port forwarding “-L” and Remote port forwarding “-R.” These two types of forwarding mechanisms are also commonly referred to as Outgoing tunnel and Incoming tunnel.

 

Types of SSH Port Forwarding

The -L [bind_address:]port:host:hostport] command specifies that a given port on the local (client) host is to be forwarded to the given host and port on the remote side. For example: command ssh –L 4444:localhost:23 [email protected] will forward all client traffic coming into port 4444 to port 23 on the server.

The –R [bind_address:]port:host:hostport] command specifies that a given port on the remote (server) host is to be forwarded to the given host and port on the local side. For example: command ssh –R 4444:localhost:23 [email protected] will forward all server traffic coming into port 4444 to port 23 on the client.

 

My Setup
node1
IP: 10.0.2.30

node2
IP: 10.0.2.31
HTTP Configured on Port 80

 

I am using CentOs 7.6 for the demonstration of the commands used in this article but the same commands are expected to work on other Linux or Unix distributions.

 

Securing HTTP with SSH Local Port Forwarding

For the sake of this article I have configured a very simple HTTP server on node2 on port 80. In this example we open up a listening port 5555 using our –L option described earlier on the localhost (node1) and forward all traffic incoming to this port over to node2 on port 80 HTTP inside the SSH tunnel. The -f option instructs ssh to fork to background before executing the command. -N tells ssh that there is no command to run; we only want to forward ports.

Execute the below command to perform local port forwarding

[[email protected] ~]# ssh -v -fNL 5555:node2:80 [email protected]
NOTE:
For the demonstration purpose i have enabled verbose option, you can ignore the -v option if you do not wish to additional debug messages on your screen.

Since we have enabled verbose we can see more information on the tasks happening in the background. The displayed debug message verifies that connections to our localhost on node1 for port 5555 will be forwarded out on port 80 to node2.

debug1: Local connections to LOCALHOST:5555 forwarded to remote address node2:80
debug1: Local forwarding listening on ::1 port 5555.

 

To further verify our listening port on node1 we can use the netstat command

[email protected] ~]# netstat -ntlp | grep 5555
tcp 0 0 127.0.0.1:5555 0.0.0.0:* LISTEN 16155/ssh

The output from the netstat command, 127.0.0.1:5555, indicates that only the 127.0.0.1 (local loopback) address is allowed to initiate connectivity to port 5555.

IMPORTANT NOTE:
Ports that are less than 1024 are considered to be privileged ports and require root/administrative rights in order to be created (open in LISTEN mode) on any machine. Ports over 1023 can be opened by regular users.

We have successfully configured a secure SSH Local Port Forwarding tunnel between node1 and node2.

 

Verify the ssh local port forwarding or tunneling

To verify the ssh local port forwarding we are using elinks. you can install this tool using yum command.

[[email protected] ~]# yum -y install elinks

Once installed, attempt to connect to the webserver configured on node2 using node1.

[[email protected] ~]# elinks http://localhost:5555
Welcome to the demo of ssh local port forwarding - GoLinuxCloud

And we are able to connect to the HTTP server from node2 successfully.

On node2 I can see an additional connection from node1 for HTTP using SSH

[[email protected] ~]# lsof -i -n | grep sshd
sshd 3130 root 3u IPv4 26918 0t0 TCP *:ssh (LISTEN)
sshd 3130 root 4u IPv6 26939 0t0 TCP *:ssh (LISTEN)
sshd 14682 root 3u IPv4 50880 0t0 TCP 10.0.2.31:ssh->10.0.2.2:50161 (ESTABLISHED)
sshd 15585 root 3u IPv4 71627 0t0 TCP 10.0.2.31:ssh->10.0.2.30:40020 (ESTABLISHED)
sshd 15585 root 8u IPv4 72365 0t0 TCP 10.0.2.31:36564->10.0.2.31:http (ESTABLISHED)
[[email protected] ~]# lsof -i -n | grep http
httpd 14869 root 4u IPv6 51821 0t0 TCP *:http (LISTEN)
httpd 14870 apache 4u IPv6 51821 0t0 TCP *:http (LISTEN)
httpd 14871 apache 4u IPv6 51821 0t0 TCP *:http (LISTEN)
httpd 14871 apache 9u IPv6 71753 0t0 TCP 10.0.2.31:http->10.0.2.31:36570 (ESTABLISHED)

 

I will explain about SSH Remote Port Forwarding in my next article.

 

Lastly I hope the steps from the article to configure SHH Port Forwarding and Tunneling in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *