tags:

views:

753

answers:

6

I have a small local network. Only one of the machines is available to the outside world (this is not easily changeable). I'd like to be able to set it up such that ssh requests that don't come in on the standard port go to another machine. Is this possible? If so, how?

Oh and all of these machines are running either Ubuntu or OS X.

A: 

You can use Port Fowarding to do this. Take a look here:

http://portforward.com/help/portforwarding.htm

There are instructions on how to set up your router to port forward request on this page:

http://www.portforward.com/english/routers/port_forwarding/routerindex.htm

Espo
+9  A: 

Another way to go would be to use ssh tunneling (which happens on the client side).

You'd do an ssh command like this:

ssh -L 8022:myinsideserver:22 paul@myoutsideserver

That connects you to the machine that's accessible from the outside (myoutsideserver) and creates a tunnel through that ssh connection to port 22 (the standard ssh port) on the server that's only accessible from the inside.

Then you'd do another ssh command like this (leaving the first one still connected):

ssh -p 8022 paul@localhost

That connection to port 8022 on your localhost will then get tunneled through the first ssh connection taking you over myinsideserver.

There may be something you have to do on myoutsideserver to allow forwarding of the ssh port. I'm double-checking that now.

Edit

Hmmm. The ssh manpage says this: **Only the superuser can forward privileged ports. **

That sort of implies to me that the first ssh connection has to be as root. Maybe somebody else can clarify that.

It looks like superuser privileges aren't required as long as the forwarded port (in this case, 8022) isn't a privileged port (like 22). Thanks for the clarification Mike Stone.

Mark Biek
+2  A: 

@Mark Biek

I was going to say that, but you beat me to it! Anyways, I just wanted to add that there is also the -R option:

ssh -R 8022:myinsideserver:22 paul@myoutsideserver

The difference is what machine you are connecting to/from. My boss showed me this trick not too long ago, and it is definitely really nice to know... we were behind a firewall and needed to give external access to a machine... he got around it by ssh -R to another machine that was accessible... then connections to that machine were forwarded into the machine behind the firewall, so you need to use -R or -L based on which machine you are on and which you are ssh-ing to.

Also, I'm pretty sure you are fine to use a regular user as long as the port you are forwarding (in this case the 8022 port) is not below the restricted range (which I think is 1024, but I could be mistaken), because those are the "reserved" ports. It doesn't matter that you are forwarding it to a "restricted" port because that port is not being opened (the machine is just having traffic sent to it through the tunnel, it has no knowledge of the tunnel), the 8022 port IS being open and so is restricted as such.

EDIT: Just remember, the tunnel is only open so long as the initial ssh remains open, so if it times out or you exit it, the tunnel will be closed.

Mike Stone
+4  A: 
jhs
A: 

In Ubuntu, you can install Firestarter and then use it's Forward Service feature to forward the SSH traffic from a non standard port on your machine with external access to port 22 on the machine inside your network.

On OS X you can edit the /etc/nat/natd.plist file to enable port fowarding.

Jay Hofacker
A: 

Without messing around with firewall rules, you can set up a ~/.ssh/config file.

Assume 10.1.1.1 is the 'gateway' system and 10.1.1.2 is the 'client' system.

Host gateway
  Hostname 10.1.1.1 
  LocalForward 8022 10.1.1.2:22 

Host client
  Hostname localhost
  Port 8022

You can open an ssh connection to 'gateway' via:

ssh gateway

In another terminal, open a connection to the client.

ssh client
jtimberman