Medical Nerds Blog Logo
medicalnerds.com

technology, stats and IT for medics

 

Port forwarding with SSH/Putty

March 27th, 2007 by Mark · 13 Comments

I regularly exchange data between computers at University and home. To maintain security, I keep a firewall running on all machines, and “tunnel” through the firewall(s) using SSH - the secure shell. For example, I run a web server on my main machine for web application development, and do not wish this to be publicly accessible. My home computer is protected by a hardware firewall, and I use SSH to tunnel access to the web server. Local and remote port forwarding is straightforward, but it can be difficult to understand initially. I have therefore created a list of “recipes” that one can try…

Getting the software

My remote machine is running Debian Linux. I have two local machines running Mac OS X, and Windows XP. Port forwarding is possible on all three machines.

On Linux and Mac OS X, OpenSSH is bundled, and so you already have the necessary software. For Windows, I’d recommend the SSH program Putty. I would recommend downloading the GUI-based client and the command-line client Plink.

Using plink is recommended as it used the same syntax as SSH on Mac OS X and Linux, although once you have things running, you can switch to using the GUI if you wish.

In the examples, I use the address myserver.dyndns.org for the address of your remote server.

Accessing a remote webserver

You want to access a web server running on port 80 your remote machine.

From your local machine, type:

ssh -L 8080:localhost:80 myserver.dyndns.org

This creates a tunnel from port 8080 on your local machine to port 80 on your remote machine. In your web browser go to “http://127.0.0.1:8080/” to view your remote web pages!

Using a remote HTTP proxy

You have a HTTP proxy running, such as squid, on your remote server. You want to browse the internet using your home machine, rather than your university account (for example, if your university account blocks access to certain websites). If your proxy server is running on port 3128:

From your local machine, type:

ssh -L 3128:localhost:3128 myserver.dyndns.org

On your local machine, you need to configure your Internet connection settings (or web browser) to use proxy server 127.0.0.1 port 3128. The web browser thinks it is connecting to a local proxy server, but in fact, all connections are tunnelled to your remote server. Try going to http://whatsmyip.org/ and check the connection is using the remote server!

Tunnelling from remote to local

You have a web server running on a university-bound machine that you need to access from home. You are running a firewall that blocks all incoming connections, and the university is also blocking your address too. How do you access this service from home?

You need to remote port forward:

From the university machine type:

ssh -R 8080:localhost:80 myserver.dyndns.org

This creates a tunnel from port 8080 on your remote machine to port 80 on the local machine. To access your protected web server, you just need to browse the website at “myserver.dyndns.org port 8080″ (i.e., myserver.dyndns.org:8080) and this will connect you to your protected server on the protected network.

Daisy chaining tunnels

It is possible to daisy-chain SSH tunnels through multiple firewalls. I want to show a trusted colleague my protected website. I create a tunnel through our shared intermediary server:

On the protected computer forward remote port 8080 to local port 80.

ssh -R 8080:localhost:80 myserver.dyndns.org

On my colleague’s computer, forward remote port 8080 to local port 80

ssh -L 80:localhost:8080 myserver.dyndns.org

Depending on firewall and proxy settings, it may not be possible to tunnel SSH connections in this way, and I do not condone the use of these techniques for nefarious purposes. I use these techniques to secure my remote systems and ensure I have as few services as possible running on open ports. Reducing the number of running services reducing the change of attack by hackers, and means that the only possible chink in your armour is running the SSH server.

Tags: Free · Open Source · Software

13 responses so far ↓

  • 1 Kev // Apr 24, 2007 at 9:10 pm

    You are a proper nerd Mark, not sure if you’re a MedicalNerd per-se. But a nerd none the less!

  • 2 Andrei // Jul 14, 2008 at 9:44 am

    SSH is a killer software package. I really like all this connection redirecting stuff.

  • 3 Dan // Sep 2, 2008 at 9:18 pm

    I still don’t get it… if all incoming connections are blocked by the firewall (say, at work) you would need an outgoing connection from ssh to initiate the tunnel in the first place. Wouldn’t you?

  • 4 James // Sep 4, 2008 at 6:06 pm

    You need to be able to initiate the outgoing connection from work to home…incoming connections can’t be blocked at your home side for this to work. Suggest you open up a “random” high port on the home router for this purpose and use public/private key authentication techniques or at least a strong password.

  • 5 NED // Jan 8, 2009 at 10:24 pm

    Hi there, I was wondering I am currently studying at Trinity College Dublin, and I have tried to setup a ssh tunnel with PuTTY. The problem is the connection can never establish itself. I suppose it’s their server which has blocked this access. Is there anything I can do?

    Many thanks,

    Edward

  • 6 hamid // Feb 27, 2009 at 9:12 pm

    Dear

    In my university we are connecring to Internet through proxy on port 8080 and other ports has been blocked, I want to know is there any way that I could bypass this limitation? Actually I want to connect to port 1755.

    Thanks

  • 7 woloda zangetsu // May 28, 2009 at 7:58 pm

    Hi hamid,

    I see 2 possible ways, but first of all we are talking about not local, but destination ports, which you need to connect to trough you university proxy server. so if your proxy is working on 8080 port, it schould be reach not only standart 80 http port, but also other standart ports, minimal 443 http over ssl, sometimes 21 ftp, and maybe others

    1.) change the required destination listen port from 1755 to 80,443 or other destination ports allowed on your proxy and and force connect using ssh user@host:80

    otherwise, if you are not able to change the destination listen port, then try to do this

    2.) try to set up your own SSH server with public IP, listening on proxy allowed port.

    but there still could be a problem”
    if the firewall is let’s say configured in “standart” way, this schould help, otherwise firewall could doing more deeper inspection of packets and is able to block specific protocols, which are trying to connect on other then standart port using application layer protocol analysis, in other words, your firewall admin(maniac:-)) could know that you are trying to connect ssh trough the proxy and could block, but in most cases this schould work

    let me know if you already found some solution. In other case, I will set within less then one week new testing, but ready to live long time firewall/ router based on Vyatta open-source system based on debian, maybe on debian directly, so than could provide you free shell account to play with your needs…of coursed you could take a look over the internet, there are many free shell accounts services over the world…..

    on the other hand try also to find some useful staff on the internet related to “bypass proxy” tools, but first you have to know, which kind of proxy you use, of course…

    hope it will help in some way.

    zangetsu

  • 8 hackus // Sep 1, 2009 at 10:10 am

    thanks a lot for the post

  • 9 Michael // Sep 19, 2011 at 8:19 am

    Hi,
    I have a hp-unix machine which i am using to connect to an r-pop[windows] machine through ssh.
    I need to be able to telnet after establishing the ssh connection with a third node machine[any os] to a certain port.
    I am able to ssh to the windows machine but when i try telnet here it fails without giving any error.
    but if i remote login to the windows machine and telnet from there it works fine.
    Any help would be greatly appreciated Thanks

  • 10 Mukesh // Nov 6, 2011 at 3:42 pm

    How to activate port by using putty ?

  • 11 Aaron // Mar 12, 2012 at 11:51 am

    Hey, just wanted to fill in for everyone asking about PuTTY:

    The easiest way is to use the plink binary included in the PuTTY full package (like he says up there). It uses the same syntax as OpenSSH.

    BUT if you want to use the GUI, create a connection like normal, then go to the SSH->Tunnels section. Source port is the port on the gateway (referred to as “remote machine” above), destination is what is being tunelled to (for example, localhost:80). The radio buttons Local and Remote correspond to -L and -R switches, respectively.

  • 12 Brasdours // May 3, 2012 at 4:07 pm

    Hey, I want to access to a database postgresql from home by forwarding with ssh. I installed freesshd on my server which run on windows server 2003. It set it on port 22. I add an exception on the firewall for this port. Then i download putty on my client machine (windows 7), i put the ip public of my server, configure the firewall. But when i try to connect i recieve the message ” connection refused”.

    Any help for a newbee will be really nice.

  • 13 MU333N // May 3, 2013 at 9:24 am

    I’ve been searching for a good explanation of the difference between local and remote port forwarding. Your post does this excellently !

    Thanks

Leave a Comment

(Don't forget to fill in the Captcha)

CAPTCHA image