Ssh -L sourcePort:forwardToHost:onPort connectToHost means: connect with ssh to connectToHost, and forward all connection attempts to the local sourcePort to port onPort on the machine called forwardToHost, which can be reached from the connectToHost machine.
Local: -L Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. The machine, where the ssh tunnel command is typed is called »your host«. Tips on using ControlMaster to maintain your tunnel.Expose the reverse endpoint on a non-localhost IP.The -W option is used to open a connection to a remote host in order to continue the SSH conversation. Prox圜ommand ssh -fWlocalhost:22222 yourpublichost The firewalleduser field must match your username on the remote server, but firewalledhost can be any name that suits you, the name doesn't have to match anything resolvable, since your connection is governed by Hostname and Port.Īlternately, if you want to reach this from elsewhere on the Internet, you might add the following to your ~/.ssh/config: host firewalledhost
If you're going to be accessing this host on a regular basis, you can also simplify access by adding a few lines to your ~/.ssh/config file on yourpublichost: host firewalledhostĪdjust firewalledhost and firewalleduser to suit.
#SSH REVERSE TUNNEL EXAMPLE PASSWORD#
Then you'll get a password challenge for the username account (unless you've set up keys for passwordless login). Now that the -R service tunnel is active, you can connect to it from yourpublichost, establish a connection to the firewalled host through the tunnel: ssh -p 22222 get a host key challenge, as you've probably never hit this host before. (Note that if you intend to leave a connection open long term, unattended, possibly having it automatically refresh the connection when it goes down (by parsing ssh -O check ), I recommend using a separate, unique SSH key for it that you set up for just this tunnel/customer/server, especially if you are using RemoteForward. There will be a password challenge unless you have set up a key for a passwordless login. -T disables pseudo-tty allocation, which is appropriate because you're not trying to create an interactive shell.If all you're creating is a tunnel, then including this option saves resources. -N says that you want an SSH connection, but you don't actually want to run any remote commands.-f tells ssh to background itself after it authenticates, so you don't have to sit around running something like sleep on the remote server for the tunnel to remain alive.your ssh client in this case, on the target host). Anything that attaches to port 22222 on the far end of the tunnel will actually reach "localhost port 22", where "localhost" is from the perspective of the exit point of the tunnel (i.e. This tells the client on your target host to establish a tunnel with a -Remote entry point. Of the two models shown above, you want the one on the right.įrom the firewalled host: ssh -f -N -T -R22222:localhost:22 To be able to SSH from the Internet into a host behind a firewall, you need the target host to open an SSH connection to a host on the outside and include a -R tunnel whose "entry" point is the "remote" side of its connection. The -R option tells the tunnel to bind on the remote side (the SSH server). The -L option tells the tunnel to bind on the local side of the tunnel (the host running your client). When you create a tunnel, you specify an address and port on which it will answer (or "bind"), and an address and port to which it will be delivered. This is kind of important, so please correct this assumption if it is false.) (You haven't said, but I'm going to assume that the "remote" machine you've mentioned, the one behind the firewall, can access the Internet using Network Address Translation (NAT). All the smaller tubes have the same endpoints, except that the role of "start" or "end" is determined by whether you used -L or -R (respectively) to create them. The big tube, your SSH connection, started with your SSH client and ends up at the SSH server you connected to. Your ssh remote shell actually communicates with you using one of these smaller, embedded tubes attached to stdio.Įvery tube has a beginning and an end. You still have the big SSH connection, but the -L or -R option lets you set up a smaller tube inside it. Think of your tunnel as another tube within a tube. The shell runs in a virtual terminal (tty) through that tube. Normally, you'll reach through these tubes to run a shell on a remote computer. I love explaining this kind of thing through visualization.
0 kommentar(er)
