In my last article I had shared the steps to Restrict Root User To Access Or Modify A File And Directory In Linux. In this article I will continue with topics related to security by an article on SSH Port Forwarding or Tunneling.
SSH port forwarding or tunneling allows you to forward otherwise unsecure TCP traffic inside a secure SSH tunnel. Protocols such as FTP, POP3, SMTP, HTTP, TELNET, and others can all be forwarded inside this SSH tunnel providing increased security features such as encryption and authentication that may not otherwise be supported.
There are two types of port forwarding mechanisms: Local port forwarding “
-L” and Remote port forwarding “
-R.” These two types of forwarding mechanisms are also commonly referred to as Outgoing tunnel and Incoming tunnel.
Types of SSH Port Forwarding
[bind_address:]port:host:hostport] command specifies that a given port on the local (client) host is to be forwarded to the given host and port on the remote side. For example: command ssh –L 4444:localhost:23 [email protected] will forward all client traffic coming into port 4444 to port 23 on the server.
[bind_address:]port:host:hostport] command specifies that a given port on the remote (server) host is to be forwarded to the given host and port on the local side. For example: command ssh –R 4444:localhost:23 [email protected] will forward all server traffic coming into port 4444 to port 23 on the client.
HTTP Configured on Port 80
I am using CentOs 7.6 for the demonstration of the commands used in this article but the same commands are expected to work on other Linux or Unix distributions.
Securing HTTP with SSH Local Port Forwarding
For the sake of this article I have configured a very simple HTTP server on node2 on port 80. In this example we open up a listening port
5555 using our
–L option described earlier on the localhost (
node1) and forward all traffic incoming to this port over to
node2 on port
80 HTTP inside the SSH tunnel. The
-f option instructs ssh to fork to background before executing the command.
-N tells ssh that there is no command to run; we only want to forward ports.
Execute the below command to perform local port forwarding
[[email protected] ~]# ssh -v -fNL 5555:node2:80 [email protected]
-voption if you do not wish to additional debug messages on your screen.
Since we have enabled verbose we can see more information on the tasks happening in the background. The displayed debug message verifies that connections to our localhost on
node1 for port
5555 will be forwarded out on port
debug1: Local connections to LOCALHOST:5555 forwarded to remote address node2:80 debug1: Local forwarding listening on ::1 port 5555.
To further verify our listening port on
node1 we can use the
[email protected] ~]# netstat -ntlp | grep 5555 tcp 0 0 127.0.0.1:5555 0.0.0.0:* LISTEN 16155/ssh
The output from the netstat command,
127.0.0.1:5555, indicates that only the
127.0.0.1 (local loopback) address is allowed to initiate connectivity to port
We have successfully configured a secure SSH Local Port Forwarding tunnel between node1 and node2.
Verify the ssh local port forwarding or tunneling
To verify the ssh local port forwarding we are using elinks. you can install this tool using yum command.
[[email protected] ~]# yum -y install elinks
Once installed, attempt to connect to the webserver configured on node2 using node1.
[[email protected] ~]# elinks http://localhost:5555 Welcome to the demo of ssh local port forwarding - GoLinuxCloud
And we are able to connect to the HTTP server from node2 successfully.
On node2 I can see an additional connection from node1 for HTTP using SSH
[[email protected] ~]# lsof -i -n | grep sshd sshd 3130 root 3u IPv4 26918 0t0 TCP *:ssh (LISTEN) sshd 3130 root 4u IPv6 26939 0t0 TCP *:ssh (LISTEN) sshd 14682 root 3u IPv4 50880 0t0 TCP 10.0.2.31:ssh->10.0.2.2:50161 (ESTABLISHED) sshd 15585 root 3u IPv4 71627 0t0 TCP 10.0.2.31:ssh->10.0.2.30:40020 (ESTABLISHED) sshd 15585 root 8u IPv4 72365 0t0 TCP 10.0.2.31:36564->10.0.2.31:http (ESTABLISHED)
[[email protected] ~]# lsof -i -n | grep http httpd 14869 root 4u IPv6 51821 0t0 TCP *:http (LISTEN) httpd 14870 apache 4u IPv6 51821 0t0 TCP *:http (LISTEN) httpd 14871 apache 4u IPv6 51821 0t0 TCP *:http (LISTEN) httpd 14871 apache 9u IPv6 71753 0t0 TCP 10.0.2.31:http->10.0.2.31:36570 (ESTABLISHED)
I will explain about SSH Remote Port Forwarding in my next article.
Lastly I hope the steps from the article to configure SHH Port Forwarding and Tunneling in Linux was helpful. So, let me know your suggestions and feedback using the comment section.