SSH to server behind firewall

Asked 10/1, 2012 at 13:53 Answered 10/1, 2012 at 14:1

I am currently trying to work out how to SSH to servers behind firewalls that deny all incoming connections. The servers can SSH out, so I am wondering if there is a way to get the server behind the firewall to create an SSH tunnel to my workstation, then allow my workstation to send commands back to the server through it?

I have looked into tunneling / reverse tunneling, but these appear to be port forwarding solutions, which will not work as the firewall denies all connections on all ports.

Ideally, I would like to do this in Ruby (using the Net::SSH gem), such that instead of opening a new connection like:

Net::SSH.start('host', 'user', :password => "password")

I could somehow bind to an existing tunnel.

Thanks!

Carlyle answered 10/1, 2012 at 13:53 Comment(0)

This is fairly simple if you have control over the server. I'll give the command-line version, and you can work that into any framework you like:

server$ ssh -R 9091:localhost:22 client.example.egg

client$ ssh -p 9091 localhost

The server establishes a connection to the client first which starts listening on the "R"emote end (i.e. the client) on port 9091 (something I just made up), and forwards those connections to localhost:22, i.e. to the ssh server on itself.

The client then just needs to connect to its own local port 9091, which is transparently forwarded to the server's ssh server.

This will usually wreak havoc to your public key checking (and adherent security!), because the client's ssh client doesn't know that localhost:9091 is the same as server:22. If your client is Putty, then you have an option to provide the "real" server name somewhere so that the credentials can be looked up properly.

Ethyne answered 10/1, 2012 at 14:1 Comment(4)

Is there a way you could possibly wildcard that localhost figure. My IP address changes, and I want to always be able to ssh to the server. I have a dns resolver already set up – Veil 6/5, 2013 at 11:12

@MichaelH: I'm not sure I understand. You cannot maintain TCP connections if the IP address of one of the peers changes... – Ethyne 6/5, 2013 at 11:49

can we tunnel http through this as well? – Damson 4/2, 2014 at 1:35

@Will: Sure, you can tunnel a specific TCP port, or you can make a SOCKS proxy that will tunnel any TCP connection (option -D). – Ethyne 4/2, 2014 at 3:8

Unless you can create (and maintain) a tunnel out from the host you're trying to connect to first (which would allow you then to connect through that tunnel), no you can't. That's the point of a firewall: prevent unauthorised access to a network.

However the firewall shouldn't block a tunnel, although it depends exactly how the tunnel's managed. A port-forwarding tunnel set up using ssh's tunneling features would subvert the firewall. However it may also get you in trouble with the administrator of the remote network.

So ultimately, you'd need to speak to the network administrator to get the firewall rules relaxed in order to do it without needing to tunnel, or at least get authorisation to have a tunnel.

Newton answered 10/1, 2012 at 13:56 Comment(0)

Recommended topics

Hot tags