Considering you have a service running in VPC but it cannot be accessible over the internet and only accessible from the VPC. To access other services that are blocked over the internet, you can use SSH to connect to any one of the server in VPC that is accessible and forward to port to the destination service as follows
Following is the syntax for “Local Forwarding”
ssh -L [bindaddr]<port>: <destination-server>:<destination-port> <server>Where,
| bindaddr | Local Address to bind |
| port | Local port to bind |
| destination-server | Destination service IP |
| destionation-port | Destination port of service |
| server | Server to connect |
Option -L specifies the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating the socket to the specified local port and optionally binding it to the specified bindaddr. When connection is made to this location port specified, it is forwarded over the secure channel and connection is made to the specified “destination-server” and “destination-port” from the remote machine. If bindaddr is not specified, SSH listens on all interfaces.
If you are connecting to server with key file instead of password, use
ssh -i <keyfile> -L [bindaddr]<port>: <destination-server>:<destination-port> <server>exmaple:
ssh -L 6379:192.168.31.22:3033 root@servername.com Where SSH acts as the tunnel and forwards the requests destined to port 6379 on localhost to the specified port 3033 on host 192.168.31.22 on the remote network.
— —
While -L option forwards connection on local specified port to remote host, it is also possible to configure SSH in such a way that connection on remote bound port to local host & port using option -R. This works by allocating a socket to listen to port on the remote host.
Following is the syntax for “Remote Forwarding”
ssh -R [bind_address:]port:host:hostport The listening socket on the server will be bound to the 127.0.0.1 only by default, this can be changed by specifying bind_address. If bind_address is specified as ‘*’ or empty which indicates that socket should listen on all interfaces
Example
ssh -R 6379:192.168.31.25:3033 root@servername.com Local Forwarding: is used to forward a port from Local Machine to Remote Machine
Remote Forwarding: is used to forward a port from Remote Machine to Local Machine
Dynamic Application Level Port Forwarding
As we discussed above about local and remote forwarding on specific ports. We can also use SSH to create the SOCKS proxy to dinamically forward ports, in such a case SSH essentially acts as the SOCKS Server creating a proxy service referred as SOCKS proxy. Where, either SOCKS4 or SOCKS5 protocols are used.
ssh -D 1337 -q -C -N -f use@serverWhere,
| -D | Bind to local port given following by this option |
| -q | Quite mode, don’t output anything |
| -C | Compress the data |
| -N | Do not execute any remote command, it is useful when forwarding ports |
| -f | Run in background |
Where Option -D is
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to
this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are
supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.
IPv6 addresses can be specified by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However,
an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.
All command line arguments can be combined to create SOCKS server for SOCKS proxy
ssh -D1337 -fCqN user@serverHow to keep SSH tunnel open
If you want to reliably port forward using SSH at first you might feel skeptic since SSH connection can be dead after while either disconnected by server. To port forard in reliable fashion using SSH, we can use the wrapper application autossh which monitors the ssh tunnel and restart or connects if required
To incorporate the “Remote Port Forwarding”
autossh -M 20000 -f -N admin@example.com -R 2424:localhost:22 -CAnother example, to open ssh tunnel using keypair instead of password
autossh -f -nNT -i ~/keypair.pem -R 2424:localhost:22 admin@exmaple.com
Leave a Reply