SSH Port forwarding

Do you have ssh access to your office network, but you need http access. Here is a way to tunnel your traffic over the secure connection to your office web server. Now you can surf the office Intranet from home!

Don’t try this without getting permission first!! Your employer might not have understood how much access they had given you when they gave you that ssh login.The feature that you need to use is called port forwarding. The idea is that your local ssh program captures traffic to a port on your machine on forwards it to a machine (any machine) on the other side of the connection.

For example, I could forward port 8080 on 127.0.0.1 to go to intranet.mycompaniesinternalnetwork.com port 80. Pretty cool eh. Again, as I mentioned at the top, whoever granted you ssh access probably didn’t realize that you can forward everything else once you log in. Make sure they understand what you intend to do!

First, in the home directory of the machine you are connection from create/edit a file named ~/.ssh/config. This file will specify what ports to listen to and what machines to forward them to. Lets pretend we want to ssh into a machine will nickname ted. Here is an example ~/.ssh/config file that connections for firewall.mycompaniesinternalnetwork.com and then starts forwarding port 8080 of your machine:

host ted
hostname firewall.mycompaniesinternalnetwork.com
localforward 8080:intranet.mycompaniesinternalnetwork.com:80

That’s all it takes! The connection only works when you are ssh’d in to the remote machine. So to test it you would run

ssh ted

and then once you logged in you could point your browser to http://127.0.0.1:8080/ to go to http://intranet.mycompaniesinternalnetwork.com/But wait! We can do one better. Rather than referring always using 127.0.0.1 we can add a entry to our /etc/hosts file to make intranet.mycompaniesinternalnetwork.com always resolve to 127.0.0.1. That entry would look like this:

127.0.0.1   intranet.mycompaniesinternalnetwork.com

Now, we can connect to http://intranet.mycompaniesinternalnetwork.com:8080/ and its just like connecting to port 80 of the real site. (It ultimately does, after all.) In case you are curious, only root can configure your local machine to accept connections on low numbered (so called well-known) ports. That is the reason for the 8080 port number.

Leave a Reply

Your email address will not be published. Required fields are marked *