home |  electronics |  toolbox |  science club |  tuxtalk |  photos |  e-cards |  online-shop



April 2022

ssh tunnels, cheat-sheet

Static tunnels

Build a static tunnel:
ssh -L LocalIP:LocalPort:RemoteIP:RemotePort user@JumpHost or if you do not want to bind to a specific local IP: ssh -L LocalPort:RemoteIP:RemotePort user@JumpHost Example (tunnel from 192.168.1.21, port 22, to local-port 2122): ssh -L 2122:192.168.1.21:22 guido@10.0.0.10

Use a static tunnel:
ssh -p 2122 user@localhost scp -P 2122 file user@localhost sftp -P 2122 user@localhost

192.168.1.21 is a remote host behind jump-host 10.0.0.10 that is not directly reachable from your local PC.

Dynamic tunnels (socks5)

Build the tunnel:
ssh -D LocalPort user@JumpHost Example: ssh -D 3333 user@10.0.0.10


Use the tunnel:
ssh -o 'ProxyCommand socat - socks:127.0.0.1:%h:%p,socksport=3333' user@192.168.1.21 scp -o 'ProxyCommand socat - socks:127.0.0.1:%h:%p,socksport=3333' file_on_you_pc.txt user@192.168.1.21:/tmp sftp -o 'ProxyCommand socat - socks:127.0.0.1:%h:%p,socksport=3333' user@192.168.1.21 google-chrome --proxy-server="socks://localhost:3333" http://192.168.1.21 curl --socks5 localhost:3333 http://192.168.1.21

192.168.1.21 is a remote host behind jump-host 10.0.0.10 that is not directly reachable from your local PC.

Netcat as a proxy

In some cases forwarding is disabled on the ssh server side. You can not tunnel traffic via that server however running a proxy command on the server side might not be disabled. You can then use nc or netcat as a very simple proxy to do the forwaring. That is: you can reach a host behind the jump server from your computer via that netcat proxy:
ssh -o 'ProxyCommand ssh user@10.0.0.10 nc %h %p' user@192.168.1.21 or ssh -o 'ProxyCommand ssh user@10.0.0.10 netcat %h %p' user@192.168.1.21 This does ssh user@10.0.0.10 and then runs nc (or netcat) on the jumphost (10.0.0.10): nc 192.168.1.21 22 netcat or nc has to be available on the jumphost.

This commands prompts you twice for the password. First at 10.0.0.10 and then at 192.168.1.21.

References


Back to: "No preservatives added"


© 2004-2024 Guido Socher