SSH Tunnels
Nov 2006Introduction to tunnels
SSH tunnels are a fantastic tool that can be used for secure access to remote machines. Often times you would like to use a plain text protocol such as POP3, Telnet, or FTP but do not want risk someone sniffing your packets. SSH tunnels provide a secure link that you can then use to send anything down without risk of it being seen. SSH tunnels also provide a way to access boxes that are behind one-way NAT. This document will cover SSH tunnels used for bypassing NAT limitations. In the figure below you see a typical setup with two computers. Each computer is behind a one-way NAT provided by their ISP. One-way NAT means the ISP allows outbound connections but does not map anything for inbound.
As you can see, the arrows show one-way connections. The client computers can establish new connections out, but outside systems cannot connect to them directly. While this is good for security of the client systems, it provides a problem for some types of applications and uses. For example, computer A is your work system and computer B is your home computer. You get to work and realize you forgot the files you worked on over the weekend. Normally you would have to drive home and get them. Thankfuly SSH tunnels saves the day.
Simple Tunnel
To setup a simple SSH tunnel you will need SSH account on the remote system. The following example can be used to POP3 or use SMTP securely to a mail server on the internet. As the figure below shows, the SSH tunnel creates a secure tunnel or pipe to communicate with the server.
To create this type of tunnel, use the -R command.
ssh -R 110:mail.domain.com:20110 mail.domain.com
Some good things to add to this command are -N for no command and & to fork into background.
Dual Tunnels
Now in our first figure, you can see that there are two NAT ISPs to work around. The previous simple tunnel works only if computer B has a public IP address. As you can see in our first figure both computers are behind a NAT and do not allow for outside connections. For this to work we need a third system with a SSH account. Both computers A and B will create a SSH tunnel to this system and be able to communicate down the tunnels.
Real World Example
Now theory is great, but how about a real world example?
This example uses a SSH account on the firewall to create the dual tunnels. Since the ISP A only allows for outbound connections the home computer must establish a connection to the firewall first.
ssh -R 2222:localhost:22 firewall.domain.com
Then the office workstation can locally forward port 2222 to the firewall to complete the other tunnel.
ssh -L 2222:firewall.domain.com:2222 firewall.domain.com
Then you can ssh/scp/etc from the office workstation to the home computer by just telling SSH what port to use.
ssh localhost -p 2222
Socks Proxy
Another fantastic feature of openssh is the Socks4/5 Proxy mode. Lets say you are at work and would like to use IM but the firewall blocks it. Or you would like to browse the web without being blocked by the office filtering proxy. To accomplish this, openssh has a socks4/5 proxy mode.
ssh -N -f -D 8080 homemachine
Once this command is run, it will launch into the background a secure tunnel to a socks proxy server running on homemachine. This will allow any program that can use socks4/5 proxy to send and receive traffic from homemachine. Gaim, firefox, and many more programs support proxy. To use this, simple set the program to use a socks4 or socks5 proxy on 127.0.0.1 port 8080. Then you can enjoy unfiltered network access.
Notes
You must be root to bind to a port number less than 1024. So in the above examples, I used 2222 as the local port so the command may be run under a normal user. Also, depending on how evil your ISP is they may kill a connection that doesn't have traffic on it after a period of time. This can be fixed by a simple ls -l /foobar just to keep the connection alive.
I have a cronjob setup to keep a SSH tunnel open from home to work and check it every 5-10 minutes. This way if I need to access my files/computer I can just SSH into it. This would also a good time to bring up the use of SSH keys and ssh-agent... but that's for another time.