[SGVLUG] example .ssh/config for port forwarding

Claude Felizardo cafelizardo at gmail.com
Sat Jan 12 15:16:31 PST 2013 

oh I hate when people done give complete examples!

I would use either of the following:

   ssh home                         <-- same as ssh -p 5022 my.ip.at.home
   ssh home-forward              <-- sets up all the port forwarding

and of course you can always override via the command line:

   ssh -L 9000:10.5.1.20:80 home    <-- forward localhost:9000 to my nasbox
web server

so from my web browser at work I could use the following to connect to my
nasbox at home:

   http://localhost:9000/

You can also daisychain these port forwarding using multiple hops.  I've
had to do as many as 3 hops.  I used to provide after-hours support during
observation runs at a remote location but but you could only connect via HQ
machines which would only accept connections from their local or specific
external sites like my desktop at work.  But to get to that I had to go
through a gateway as our machines were behind a firewall so I had to do
something like this:

(home) ssh -L 9000:desktop:9001 gateway
(gateway) ssh -L 9001:hq:9002 desktop
(desktop) ssh -L 9002:webserver:80 hq

then I could access the remote webserver from the comfort of home using the
following URL:

   localhost:9000

which was forwarded to my desktop on port 9001
which was forwarded to an hq machine on port 9002
which was forwarded to the realtime webserver on port 80.

I usually did a final hop to the summit machine to monitor logs but didn't
have to forward ports once I was in.  I don't recall if I ever had to do it
in reverse to get X displays as it was usually too laggy so it was usually
VI if I needed to edit anything.

What was tricky was that only some machines honored port forwarding so
there was a lot of exploration trying to find the right path.

Claude


On Sat, Jan 12, 2013 at 2:30 PM, Lan Dang <l.dang at ymail.com> wrote:

> So once you have set this up, what do you do to actually use it? You
> mentioned that you used two aliases
>
> What does your ssh commandline look like now when you're establishing
> these connections?
>
> Thanks,
>
> Lan
>
>  ------------------------------
> * From: * Claude Felizardo <cafelizardo at gmail.com>;
> * To: * SGVLUG Discussion List. <sgvlug at sgvlug.net>;
>  * Subject: * [SGVLUG] example .ssh/config for port forwarding
> * Sent: * Sat, Jan 12, 2013 8:08:23 AM
>
>   During the ssh tunneling presentation at the last meeting I mentioned
> that I set up quite a few forwards when I connect from work to home.
> Because I might open multiple connections I don't want to clutter my
> screen with lots of bind errors because I have already created a
> listener for the port so I have two aliases.  The first just does a
> simple connect, the other sets up a slew of forward assignments so I
> can access multiple devices at home.  I can then open a web browser
> and go to localhost:5001 to connect to my router for example.  So
> here's part of my .ssh/config file:
>
> ForwardX11 yes
> ForwardAgent yes
> ForwardX11Trusted yes
>
> Host home
>   Hostname my.ip.at.home
>   Port 5022                                    <-- use non standard
> port for ssh
>
> Host home-forwards
>   Hostname my.ip.at.home
>   Port 5022                                    <-- use non standard
> port for ssh
>   # forward connections to TiVos
>   LocalForward 5052 10.5.1.52:80    <- TiVo's have static IP's so I
> just add my base port number
>   LocalForward 5053 10.5.1.53:80
>   LocalForward 5054 10.5.1.54:80
>   # forward router
>   LocalForward 5001 10.5.1.1:80      <-- connect to router
>   # forward voice
>   LocalForward 5002 10.5.1.2:80
>   # forward wireless router
>   LocalForward 5004 10.5.1.4:80
>   # forward webmin
>   LocalForward 5010 localhost:10000
>
>   # forward voice
>   LocalForward 5254 10.5.1.254:80
>
> # file server
>   LocalForward 5100 10.5.1.10:80                <-- web server
>   LocalForward 5122 10.5.1.10:22                <-- ssh
>   LocalForward 5110 10.5.1.10:10000          <-- webmin
>
> # hp color printer
>   LocalForward 5211 10.5.1.21:80
>
> # ReadyNAS
>   LocalForward 5200 10.5.1.20:80
>   LocalForward 5222 10.5.1.20:22
>   LocalForward 5243 10.5.1.20:443
>
> # naspro
>   LocalForward 5300 10.5.1.30:80
>   LocalForward 5322 10.5.1.30:22
>   LocalForward 5343 10.5.1.30:443
>
>
> As you can see this would have required a horrendously long list of
> -L lport:rhost:rport options.
>
> Check the man page for ssh.  Make note of the difference between -L
> which opens ports on the local side vs -R which opens ports on the
> remote side.
>
> I'll have to give the -D option a try when I get a chance.
>
> Claude
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20130112/8db0cfb1/attachment.html>

More information about the SGVLUG mailing list