Print-friendly Version

SSH Port Forwarding Through a Proxy Server

Terry Labach, January, 2005

A common use of SSH is port forwarding (tunneling). This use causes traffic directed to a particular port to be sent to a specified port on another computer. Because traffic is sent through SSH, the traffic is encrypted, allowing the transmission of sensitive data through arbitrary services.

Example: Tunneling Connections From a Local Host on Port 8080 to Port 80 on a Web Server

The following command is an example that would tunnel connections from a local host on port 8080 to port 80 on the web server www.my-domain.com:

ssh -N -L 8080:localhost:80 www.my-domain.com

In the preceding command:

• The -N switch prevents the creation of an interactive SSH session.
• The -L switch accepts an argument of the form port:host:hostport, indicating that the local port is to be forwarded to hostport on the destination host. Therefore, the argument localhost is relative to www.my-domain.com, not to the machine at which you enter the command.

Example: Accessing a Corporate Network Web Server That Allows Logins Through a Proxy Server

It follows that one could create a sequence of secure tunnels, linking one computer to another through intermediate computers. The most likely use for this scenario would be to enter a private network that requires external logins to be performed through a proxy server.

Suppose you wanted to access a web server in a corporate network that allowed logins through a proxy server. This could be done in two steps:

1. Log in to the proxy server using SSH, while simultaneously creating a tunnel. Use the following command:

ssh -l proxyuser -L 8080:localhost:8181 proxy.my-domain.com

This command logs the user proxyuser into proxy.my-domain.com, as well as forwards access to localhost's port 8080 to 8181 on the proxy server. (Note that the port on the proxy server should not interfere with other users' tunnels. The administrator of the proxy server should assign ports to users that can be used in this manner.)

2. Once logged in, create a second tunnel from the proxy server to the internal server:

ssh -l internaluser -L 8181:internalserver:80 internalserver

However, SSH can be used to run arbitrary commands on a remote machine. This capability allows you to create the tunnel in one step, with a single command line:

ssh -t -l proxyuser -L 8080:localhost:8181 proxy.my-domain.com \
ssh -l internaluser -L 8181:internalserver:80 internalserver

The -t switch forces pseudo-tty allocation, which is necessary to run the SSH instance on the proxy server.

After you run the command, a user has a login session on the internal machine, and local port 8080 is forwarded to port 80 on the internal machine. When the user logs out of the internal machine, the port forwarding stops.

A Practical Application: Allowing Remote Access to the Perforce Master Source Repository

An example of a practical application of this technique comes from a solution I created for a client. Software developers using the Perforce source-code management system wanted remote access to the master source repository. Their corporate firewall software did not support Linux-based VPNs. For those developers using laptops or developers whose ISPs did not provide static IP addresses, access could not be provided through the firewall based on IPs.

To allow remote use of Perforce under these restrictions, I decided to tunnel the connections.

To create a tunnel for Perforce through SSH, clients run the following command, entering pass phrases or passwords as prompted:

ssh -P -t -l proxyuser -L 1616:localhost:2468 proxy.my-domain.com \
ssh -l internaluser -L 2468:internalserver:1616 internalserver

The -P switch causes SSH to use a non-privileged port for outgoing connections, which may be required for some firewalls, as it was for this client. In the command above, 1616 is the standard Perforce port, and 2468 is an arbitrarily selected port, allocated for a particular user on the proxy server. (Each user had two unprivileged ports assigned for the user's own use.) By having the local port set to 1616, Perforce clients worked with no configuration changes, as though a Perforce server were running locally.

Conclusion

SSH tunneling through a proxy server can be done quickly and simply using a single command line, providing transparent, secure access to network services.

Note

sshd must allow port forwarding for this technique to work. If this capability is not allowed by default, the parameter AllowTcpForwarding must be set to yes in the sshd configuration file.

About the Author

Terry Labach has been a system administrator since the last century, supporting the Solaris OS and other versions of UNIX. He holds university degrees in Physics and Computer Science.

The information and links on this page have been provided by a BigAdmin user. The submitter is solely responsible for such information and links. Sun is not responsible for the availability of external sites or resources, and does not endorse and is not responsible or liable for any content, advertising, products, or other materials on or available from such sites or resources. Sun will not be responsible or liable, directly or indirectly, for any actual or alleged damage or loss caused by or in connection with use of or reliance on the information posted here, or goods or services available on or through any external site or resource.

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.