Table of Contents
In my last article I had shared the steps to Restrict Root User To Access Or Modify A File And Directory In Linux. In this article I will continue with topics related to security by an article on SSH Port Forwarding or Tunneling.
What is SSH Port Forwarding
SSH port forwarding or tunneling allows you to forward otherwise unsecure TCP traffic inside a secure SSH tunnel from local to destination server. Protocols such as FTP, POP3, SMTP, HTTP, TELNET, and others can all be forwarded inside this SSH tunnel providing increased security features such as encryption and authentication that may not otherwise be supported.
There are two types of port forwarding mechanisms between local and remote host: Local port forwarding “
-L” and Remote port forwarding “
-R.” These two types of forwarding mechanisms are also commonly referred to as Outgoing tunnel and Incoming tunnel.
Types of SSH Port Forwarding
[bind_address:]port:host:hostport] command specifies that a given port on the local (client) host is to be forwarded to the given host and port on the remote side. For example: command ssh –L 4444:localhost:23 username@host will forward all client traffic coming into port 4444 to port 23 on the server.
[bind_address:]port:host:hostport] command specifies that a given port on the remote (server) host is to be forwarded to the given host and port on the local side. For example: command ssh –R 4444:localhost:23 username@host will forward all server traffic coming into port 4444 to port 23 on the client.
I am using CentOs 7.6 to configure ssh local port forwarding to remote host but the same commands are expected to work on other Linux or Unix distributions.
node1 (local server)
node2 (remote host)
HTTP Configured on Port 80
Securing HTTP with SSH Local Port Forwarding to remote host
For the sake of this article I have configured a very simple HTTP server on
node2 on port 80.
- In this example we open up a listening port
–Loption described earlier on the localhost (
node1) and forward all traffic incoming to this port over to remote host
80HTTP inside the SSH tunnel.
-foption instructs ssh session to fork to background before executing the command.
-Ntells ssh that there is no command to run; we only want to forward ports.
Execute the below command to perform ssh local port forwarding
[root@node1 ~]# ssh -v -fNL 5555:node2:80 root@node2
-voption if you do not wish to additional debug messages on your screen.
Since we have enabled verbose in the ssh session we can see more information on the tasks happening in the background. The displayed debug message verifies that connections to our localhost on
node1 for port
5555 will be forwarded out on port
debug1: Local connections to LOCALHOST:5555 forwarded to remote address node2:80 debug1: Local forwarding listening on ::1 port 5555.
To further verify our listening port on
node1 we can use the
root@node1 ~]# netstat -ntlp | grep 5555 tcp 0 0 127.0.0.1:5555 0.0.0.0:* LISTEN 16155/ssh
The output from the netstat command,
127.0.0.1:5555, indicates that only the
127.0.0.1 (local loopback) address is allowed to initiate connectivity to port
We have successfully configured a secure SSH Local Port Forwarding tunnel between node1 and remote machine node2.
Verify the ssh local port forwarding or tunneling
To verify the ssh local port forwarding between local and destination server we are using
elinks. you can install this tool using yum command.
[root@node1 ~]# yum -y install elinks
Once installed, attempt to connect to the webserver configured on remote machine node2 using node1 and port 5555.
[root@node1 ~]# elinks http://localhost:5555 Welcome to the demo of ssh local port forwarding - GoLinuxCloud
And we are able to connect to the HTTP server from remote machine node2 successfully using port 5555 on node1.
On node2 I can see an additional connection from node1 for HTTP using SSH
[root@node2 ~]# lsof -i -n | grep sshd sshd 3130 root 3u IPv4 26918 0t0 TCP *:ssh (LISTEN) sshd 3130 root 4u IPv6 26939 0t0 TCP *:ssh (LISTEN) sshd 14682 root 3u IPv4 50880 0t0 TCP 10.0.2.31:ssh->10.0.2.2:50161 (ESTABLISHED) sshd 15585 root 3u IPv4 71627 0t0 TCP 10.0.2.31:ssh->10.0.2.30:40020 (ESTABLISHED) sshd 15585 root 8u IPv4 72365 0t0 TCP 10.0.2.31:36564->10.0.2.31:http (ESTABLISHED)
[root@node2 ~]# lsof -i -n | grep http httpd 14869 root 4u IPv6 51821 0t0 TCP *:http (LISTEN) httpd 14870 apache 4u IPv6 51821 0t0 TCP *:http (LISTEN) httpd 14871 apache 4u IPv6 51821 0t0 TCP *:http (LISTEN) httpd 14871 apache 9u IPv6 71753 0t0 TCP 10.0.2.31:http->10.0.2.31:36570 (ESTABLISHED)
I will explain about SSH Remote Port Forwarding in my next article.
Lastly I hope the steps from the article to configure SHH Port Forwarding and Tunneling in Linux was helpful. So, let me know your suggestions and feedback using the comment section.