This traffic will then be passed to per the -L parameter we passed to ssh. Note that on workstation we’re curling to our own localhost! That’s because the tunnel is created with the near end on the local machine. Now we’re ready to test our tunnel! We’ll use curl on our workstation, just to keep things simple. There are also advanced techniques for forwarding UDP traffic, but they’re beyond the scope of this article. Note that this traffic could be almost anything TCP-based, like traffic to a database server.
In this case, nginx is configured to run on port 8080. Which in our case is: 1234::8080Īs a test payload we’ll run nginx on. Note the -L parameter, which is what instructed SSH to set the tunnel up. What may not be obvious, however, is that we also established a tunnel from our local port 1234 (any non-privileged port that’s not in use will do) through the jumpbox to on port 8080. The first thing we’ll do is establish the SSH tunnel from our workstation to the jumpbox with the following command. For our purposes here, we’ll just run an nginx process on this server on port 8080, but it could be anything. In practice this machine might be a database server, internal app server, or something that’s relatively well-protected. This machine is likely not accessible over the internet or by workstation directly in any way. : This is the deep service we’re trying to connect to.It’s job is simply to pass traffic through to our deeply embedded server:. For our purposes here this machine will be running no other useful services. This machine may very well even be accessible over the open internet. : This machine is the SSH server that’s accessible to workstation.It is likely on an entirely different network than the rest of the machines in the diagram. workstation: The machine the human is directly using.Again, we can curl at localhost:1234, the traffic flows through the SSH tunnel to, and then terminates at :8080. The red lines are plaintext (or at least not encrypted by SSH) traffic. The green line represents encrypted traffic and could certainly be traversing the internet. Every box that’s green is a computer and the orange box is a process running on the workstation the human is sitting at.
ssh -L 1234::8080 the component parts being: ssh -L :: might be enough to get some of you going, but for those of you unsure about what hostname/IP and port to plug into the command I’ll provide some clarity by way of a diagram. We’ll use this example for the remainder of the post. Here’s an example command that establishes a tunnel from the local port 1234 to port 8080 on via the jumpbox.
The jumpbox can then forward traffic to a service it can see, providing you reasonably secure access from your local machine to the otherwise inaccessible service. SSH tunneling requires only a single SSH command and sets up an encrypted tunnel between a port on your local machine and the target SSH server, referred to hereafter as the jumpbox (you may also hear it referred to as a bastion host). Do you have services deep in another network that you’d like to access as if you were on that network, but only have access to a different host via SSH and no VPN? Then the answer to your problems may just be SSH tunneling.
0 kommentar(er)
