29 May 2013

SSH Tunneling

SSH is quite the Swiss Army Knife of networking. One powerful feature that I can never remember is securely tunneling from one machine to another, possibly through a firewall. To do this:

ssh -f matlik@home -L 3000:www.google.com:80 -N

In this example, a proxy connection is established between my local machine’s port 3000 and my home machine (an alias in ~/.ssh/config) on the normal SSH port. Then my home machine relays any network traffic on to google.com on port 80.

Here is another example of making a HTTP server listening only to localhost (not 0.0.0.0) and therefore not handling requests from the outside world accessible from another machine in the “outside world”. Note that the “localhost” in the below command is from the perspective of the remote server.

ssh -f matlikj@192.168.1.4 -L 8000:localhost:8000 -N
  • The -f flag requests ssh to go to background just before command execution.
  • The -L flag binds a local port to a remote port.
  • The -N flag tells ssh not to execute any commands on the remote server, which is useful when forwarding traffic from one machine to another is the goal, as in these examples.

Maintaining such a connection for an extended period of time, particularly if the connection goes through periods of idleness, may be problematic. It is common practice for connections to be dropped when not actively used. If you find that you need to keep the connection alive, you can do a few things:

  1. Update your ~/.ssh/config file to contain the settings ServerAliveInterval 180 and ServerAliveCountMax xxxx where the ServerAliveInterval defines how frequently a keep alive ping should be sent over the open connection, and the ServerAliveCountMax defines how many pings should be performed without real traffic before closing.
  2. Use another program like autossh
  3. Use a shell script to establish the SSH connection in an infinate loop (hackish and messy).