In a previous post, we introduced SSH port forwarding, and demonstrated an example about how to forward a port on your local machine to a remote one. In this post, let’s have a look at the second type of SSH port forwarding: the reverse.
What is reverse port forwarding?
While local port forwarding works by opening a port on your local host (or the source host), all traffic arriving at this port will be automatically forwarded to - through SSH - to another port on a remote host. It works like this (web traffic as an example): source host (port 2280) => destination host (port 80) There could be a firewall between the source and destination hosts that only allows SSH traffic. However, using SSH tunnels, you can pass any traffic inside this your legitimate SSH connection. All what will appear in the firewall logs is some SSH traffic going from host A to host B. What about reverse port forwarding? It works the same way but with roles reversed. Let’s have an example.
Real-world example: Allowing web traffic to bypass firewalls
Bob works in a company where a firewall is deployed, blocking any outside traffic. Users behind the firewall are allowed to make SSH connections to hosts outside the company. Now, Bob has just built an awesome web application to be used as a web portal for himself and colleagues. Things would’ve worked well except that nasty error that appears whenever he tries to access the latest articles page. He reached out to his friend, Tommy, who happens to work in a software house. Tommy can aid his friend sort out the error if he could just have some temporary access to the web application. Now, both Bob and Tommy own a shared Linux-based EC2 instance named ubuntu-ec2 hosted on Amazon AWS. Bob was able to give Tommy access by issuing the following command:
ssh -R 2222:localhost:80 ubuntu-ec2
What this command does is:
- Open port
2222on ubuntu-ec2 (hosted on AWS)
- Create a tunnel that will enable traffic arriving at the remote port to be forwarded to port
localhost. All what Tommy needs to do now is to login to the ubuntu host, fireup Firefox and navigate to http://localhost:2222. Traffic going to the
localhoston Ubuntu will be intercepted by the SSH daemon and forwarded to Bob’s machine on port 80. Tommy can see the Bob’s web application and help him out.
Tommy: but I want to connect from my own machine!
While the solution provided here will work, it suffers an important drawback: Tommy needs to connect to the Ubuntu host first, and open the browser from inside it. The problem is, Tommy has got some tools and plugins on this local machine that he needs to use to diagnose and help Bob fix the error. So, their third friend, Emma who works as a Linux engineer advised them to make some changes to their ubuntu’s SSH configuration. So, Tommy logged in to the server and issued the following command to edit the default SSH configuration file:
sudo vim /etc/sshd_config
and added the following line:
Of course restart the SSH daemon for the new settings to take effect:
systemctl restart sshd
service sshd restart
Now, when Bob issues the tunneling command again, Tommy can open Firefox from his local machine and navigate to
http://ubuntu-ec2:2222 to have the same access to Bob’s machine as before. Only this time, from his own laptop.
Notice that this setting is set to ‘no’ by default as a security precaution
Yes, port forwarding as much as the benefit it provides, also comes with its own security threats. Settings like
GatewayPorts and even allowing foreign traffic to pass through your fiirewall is a huge security risk. You should take all the necessary precautions and enable this technology only when in absolute need.
A Simple, free, but working VPN access
If you’re not already aware of its existence, VPN (Virtual Private Network) is widely used to enable IT professionals as well as others to access their local machines from home. The technology behind this is simple: create an encrypted tunnel from the employee’s laptop to the corporate’s firewall, and further to a server dedicated for this type of access. There are several commercial solutions that offer VPN capabilities, some of them will cost you huge somes of money, some others will have a lower price tag. It all depend on the features each solution provides. But, for a very simple, perhaps one-time access to your local machine from outside your network firewall, SSH tunnels may help. The above example could be slightly modified to be as follows:
ssh -R 2222:localhost:22 ubuntu-ec2
Now, whenever you want to gain SSH access to your local machine, all what you need to do is establish an SSH terminal session with ubuntu-ec2 like:
Then, from whithin the session, initiate an SSH connection with
localhost on port
2222 as follows:
ssh -p 2222 localhost
And you are inside your machine’s terminal. If you need to directly access your machine through the Ubuntu host without having to connect to it first, ensure that
GatewayPorts yes line exists in your
/etc/ssh/sshd_config. Then you can do the same thing in one line as follows:
ssh -p 2222 ubuntu-ec2