6

I have a domain that i bought from DynDNS. I pointed the domain at my ip adress so i can run servers. The problem I have is that I don't live near the server computer... Can I use an ssh tunnel? As I understand it, this will let me have access to my servers. I want the remote computer to direct traffic from port 8080 over the ssh tunnel to the ssh client, being my laptop's port 80. Is this possible?

Trevor Rudolph
  • 2,581
  • 3
  • 16
  • 14

3 Answers3

8

This is actually pretty easy to accomplish, even though it's somewhat buried in the ssh documentation. Assuming OpenSSH, the basic syntax is as follows:

ssh -R 8080:localhost:80 -N username@your-server.dyndns.org

This will open a listening socket on port 8080 of your-server.dyndns.org, and any connections that are made onto your-server.dyndns.org:8080 will be forwarded over the SSH tunnel to the computer which has opened that SSH connection, and from there will be directed to localhost:80.

The -N option instructs SSH not to open a shell or whatever, just to establish the port forwarding, so you can send it into the background and leave it running.

Putty uses pretty much the same syntax, but wrapped into some sort of GUI. The principle is the same though.

But be careful in what you do. Since you're essentially funneling external traffic into your network, you are pushing a hole in your network's firewall. If it is not your network, your admin may object to this and take you responsible—usually there is a reason why you are not allowed certain kinds of traffic.

Vucar Timnärakrul
  • 771
  • 6
  • 18
  • 1
    no its just my home network but and im using ssh on a mac which i think is an implimentation of openssh code but going to mysite.com:8080 is giving an error of a nonexistant server, i check with telnet and it says there nothing – Trevor Rudolph Dec 10 '12 at 02:06
  • but i just checked on the remote computer and it says this, `tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 0 14875755 -` – Trevor Rudolph Dec 10 '12 at 02:07
  • How exactly does your commandline look like? The `localhost:80` part is the crucial thing here—it has to exist from the point of view of your local computer, not of the remote one, otherwise you'll get errors like the above. – Vucar Timnärakrul Dec 10 '12 at 02:15
  • yea i wrote in 127.0.0.1 instead, ill try localhost... – Trevor Rudolph Dec 10 '12 at 02:25
  • nope, just tryed `macbookpro:~ trevor$ ssh -R 8080:localhost:80 -N root@blank.com` and it didnt work on the other side trting to access 8080 let me check portforwarding on the remote router – Trevor Rudolph Dec 10 '12 at 02:27
  • 1
    It seems as if the remote side only binds on localhost instead of to all interfaces. Try doing it this way: `ssh -R *:8080:localhost:80 -N ...`, that way you're telling it to listen on port 8080 on all network interfaces that are in reach. The line above worked on my PC, but maybe the Mac version of ssh works slightly differently. – Vucar Timnärakrul Dec 10 '12 at 02:28
  • In any case, try adding `-v` to your ssh commandline, then you see more about what's going on and how exactly ssh is building the wrong kind of tunnel. Look for lines like `Remote connections from LOCALHOST:19050 forwarded to local address localhost:22`. – Vucar Timnärakrul Dec 10 '12 at 02:30
  • this is what you mean `debug1: remote forward success for: listen 8080, connect localhost:80` – Trevor Rudolph Dec 10 '12 at 02:37
  • It seems to be set up correctly. When you try to connect to this, what exactly do you do, and what exactly is your error message? Are you sure that there is no firewall blocking port 8080 on the remote end? – Vucar Timnärakrul Dec 10 '12 at 02:46
  • Another thing: You most likely do *not* want to build your reverse tunnels as root if not strictly necessary, especially as you maybe will leave your tunnel running once it works. – Vucar Timnärakrul Dec 10 '12 at 03:02
  • well even if i set up the tunnel and run `curl http://127.0.0.1:8080` over ssh it doesnt put out the "Hello" its suposed to but it just stays delayed for ever – Trevor Rudolph Dec 10 '12 at 04:05
  • OH MY GOD IT WORKED NEVER MINE HAHAHA – Trevor Rudolph Dec 10 '12 at 04:07
2

To by able to forwarded your local port 80 not only to the loopback interface (127.0.0.1) you have to configure GatewayPorts clientspecified in /etc/ssh/sshd_config on the remote machine first.

Then forward your port with:

ssh -R 0.0.0.0:8080:localhost:80 -N foo@bar.dyndns.org
panticz
  • 291
  • 2
  • 5
0

Here is how you forward your webserver localhost:80 to a remote port 8080:

$ ssh -N -R 0.0.0.0:8080:localhost:80

You need to do 0.0.0.0:8080 to specify that you need a publicly accessible port: ssh would bind to "localhost" by default!

But by default, ssh is not allowed to open ports on the remote machine, so this is the sshd config you need to add:

AllowTcpForwarding yes
GatewayPorts yes

This normally goes into /etc/ssh/sshd_config or better, create a file in /etc/ssh/sshd_config.d/.

If it's scary to restart the SSH server, ask it to reload your config. On Amazon AWS, this is how you do it:

$ sudo /etc/init.d/ssh reload
kolypto
  • 3,041
  • 6
  • 28
  • 35