How to configure remote port forwarding (openssh & firewall)


Linux, How To, Security

In my last article I gave you an overview on SSH port forwarding, types of SSH port forwarding and an example for SSH local port forwarding. Now since we know we also have OpenSSH Remote Port Forwarding so let me give you one example to help you understand more on the OpenSSH Remote Port Forwarding.

Up until now we have reviewed the –L Local port forwarding within SSH. In this section we'll discuss the –R Remote port forwarding feature within OpenSSH. Let us review that the –L Local port forwarding is a listening port on the client and initiated by the client waiting for the connection to be tunnelled out to the server. The –R Remote port forwarding is just the opposite—the tunnel is initiated from the server-host back to the client and the listening port lives on the client that is forwarded back to the server.

How to configure remote port forwarding (openssh & firewall)

Remote port forwarding is less common and can be used to connect to a local port that cannot be reached from the internet, to a port on the server that is available on the internet,

 

By passing firewalls with OpenSSH Remote Port Forwarding Tunnel

In OpenSSH the –R [bind_address:]port:host:hostport] command specifies that a given port on the remote (server) host is to be forwarded to the given host and port on the local side. For example: command ssh –R 4444:localhost:23 username@host will forward all server traffic coming into port 4444 to port 23 on the client.

Assuming the security department does not allow you to connect to your corporate location (node1) from your home (node2) as it will be blocked by the corporate firewall. SSH port forwarding to the rescue! As long as you are allowed to SSH out from your corporate server to your home server, you have the ability to tunnel and connect back to your node1 from home!

IMPORTANT NOTE:
You should always follow your corporate security policy and make sure that you're not breaking any rules. If you're not sure, always check with your security department. Just because you can bypass security's firewall doesn't mean that it is allowed.

Our first step is to initiate SSH connection from our node1 to our node2 and chose the right options to tunnel back to the node1 from our node2 over SSH. In this command we are using the –R Remote forwarding command initiated from our node1: ssh -R 7777:node1:22 root@node2 which will open up a 7777 TCP port on our node2 and forward all connections to it back to our node1 on port 22(ssh).

[root@node1 ~]# ssh -v -fN -R 7777:node1:22 root@node2
debug1: Remote connections from LOCALHOST:7777 forwarded to local address node1:22
NOTE:
You can add –v option for verbose debug mode.

SSH version 2 introduced the “-N” option which prevents execution of commands on the remote host. This option is useful if you just want to forward ports and not execute any commands on the remote host after you create your SSH tunnel.

We now have an SSH tunnel created between our node1 and node2 and all that is left for us to do is to go home to our node2 and connect back to our node1, which would normally be blocked by corporate firewall. Let's get on our node2 and verify this. Use netstat command to verify that port 7777 is still up and listening for a connection coming only from our local loopback IP address.

Most firewalls will close down sessions that are idle too long for security measures. If it takes you a long time to get home from work your session between your node1 and node2 could idle out and close. To bypass this and keep your session active simply ping on the other side of the tunnel.

[root@node2 ~]# netstat -ntlp | grep 7777
tcp        0      0 0.0.0.0:7777            0.0.0.0:*               LISTEN      4972/sshd: root
tcp6       0      0 :::7777                 :::*                    LISTEN      4972/sshd: root
[root@node1 ~]# ps aux | grep ssh
root      4360  0.0  0.1 154548  5520 ?        Ss   11:08   0:00 sshd: root@pts/0
root      4944  0.0  0.1 154548  5516 ?        Ss   11:57   0:00 sshd: root@pts/1
root      5497  0.0  0.1 112756  4316 ?        Ss   12:20   0:00 /usr/sbin/sshd -D
root      5516  0.0  0.0 178544  1464 ?        Ss   12:20   0:00 ssh -v -fN -R 7777:node1:22 root@node2
root      5517  2.0  0.1 154548  5536 ?        Ss   12:21   0:00 sshd: root@pts/2
root      5556  0.0  0.0 112708   976 pts/0    R+   12:21   0:00 grep --color=auto ssh

Below command shows us our node2 initiating a connection back to node1 on port 7777. And we are in! We have successfully SSH back to our work machine from home.

[root@node2 ~]# ssh -p 7777 root@localhost
root@localhost's password:
Last login: Tue Apr  9 12:19:43 2019 from 10.0.2.30
[root@node1 ~]#

A verbose message is printed on node1 related to the connection which was established using port forwarding.

NOTE:
This will only be visible if ssh port forwarding was performed with verbose (-v) option.
[root@node1 ~]# debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 7777, originator ::1 port 41226
debug1: connect_next: host node1 ([10.0.2.30]:22) in progress, fd=4
debug1: channel 0: new [::1]
debug1: confirm forwarded-tcpip
debug1: channel 0: connected to node1 port 22

 

SSH port forwarding using firewalld

You can also do a port forwarding using firewall rules but this is not exactly same as what we have achieved above but if the idea is to use an alternate port to connect to a node then firewalld can also be used.

As you can see currently I don't have any active rules in my firewalld zone.

[root@node2 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Let me add a port forwarding rule wherein any connection on port 2233 will be routed to port 22 on node2 incoming connection.

[root@node2 ~]# firewall-cmd  --add-forward-port=port=2233:proto=tcp:toport=22
success

Now verify the new rule

[root@node2 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports: port=2233:proto=tcp:toport=22:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:

Let us try to connect to node2 from any other node using the new port what we have configured for port forwarding.

[root@node1 ~]# ssh -p 2233 root@node2
root@node2's password:
Last login: Tue Apr  9 12:26:39 2019 from 10.0.2.30
[root@node2 ~]# logout
Connection to node2 closed.

And looks like our port forwarding is working as expected.

 

Lastly I hope the steps from the article to configure remote port forwarding on Linux using firewalld and openssh was helpful. So, let me know your suggestions and feedback using the comment section.

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment