10-24-2019, 04:51 AM
Using SSH port forwarding on Fedora
<div><p>You may already be familiar with using the <em><a href="https://en.wikipedia.org/wiki/Secure_Shell">ssh</a></em><a href="https://en.wikipedia.org/wiki/Secure_Shell"> command</a> to access a remote system. The protocol behind <em>ssh</em> allows terminal input and output to flow through a <a href="https://fedoramagazine.org/open-source-ssh-clients/">secure channel</a>. But did you know that you can also use <em>ssh</em> to send and receive other data securely as well? One way is to use <em>port forwarding</em>, which allows you to connect network ports securely while conducting your <em>ssh</em> session. This article shows you how it works.</p>
<p> <span id="more-29503"></span> </p>
<h2>About ports</h2>
<p>A standard Linux system has a set of network ports already assigned, from 0-65535. Your system reserves ports up to 1023 for system use. In many systems you can’t elect to use one of these low-numbered ports. Quite a few ports are commonly expected to run specific services. You can find these defined in your system’s <em>/etc/services</em> file. </p>
<p>You can think of a network port like a physical port or jack to which you can connect a cable. That port may connect to some sort of service on the system, like wiring behind that physical jack. An example is the Apache web server (also known as <em>httpd</em>). The web server usually claims port 80 on the host system for HTTP non-secure connections, and 443 for HTTPS secure connections.</p>
<p>When you connect to a remote system, such as with a web browser, you are also “wiring” your browser to a port on your host. This is usually a random high port number, such as 54001. The port on your host connects to the port on the remote host, such as 443 to reach its secure web server. </p>
<p>So why use port forwarding when you have so many ports available? Here are a couple common cases in the life of a web developer.</p>
<h2>Local port forwarding</h2>
<p>Imagine that you are doing web development on a remote system called <em>remote.example.com</em>. You usually reach this system via <em>ssh</em> but it’s behind a firewall that allows very little additional access, and blocks most other ports. To try out your web app, it’s helpful to be able to use your web browser to point to the remote system. But you can’t reach it via the normal method of typing the URL in your browser, thanks to that pesky firewall.</p>
<p>Local forwarding allows you to tunnel a port available via the remote system through your <em>ssh</em> connection. The port appears as a local port on your system (thus “local forwarding.”)</p>
<p>Let’s say your web app is running on port 8000 on the <em>remote.example.com</em> box. To locally forward that system’s port 8000 to your system’s port 8000, use the <em>-L</em> option with <em>ssh</em> when you start your session:</p>
<pre class="wp-block-preformatted">$ ssh -L 8000:localhost:8000 remote.example.com</pre>
<p>Wait, why did we use <em>localhost</em> as the target for forwarding? It’s because from the perspective of <em>remote.example.com</em>, you’re asking the host to use its own port 8000. (Recall that any host usually can refer to itself as <em>localhost</em> to connect to itself via a network connection.) That port now connects to your system’s port 8000. Once the <em>ssh</em> session is ready, keep it open, and you can type <em>http://localhost:8000</em> in your browser to see your web app. The traffic between systems now travels securely over an <em>ssh</em> tunnel!</p>
<p>If you have a sharp eye, you may have noticed something. What if we used a different hostname than <em>localhost</em> for the <em>remote.example.com</em> to forward? If it can reach a port on another system on its network, it usually can forward that port just as easily. For example, say you wanted to reach a MariaDB or MySQL service on the <em>db.example.com</em> box also on the remote network. This service typically runs on port 3306. So you could forward it with this command, even if you can’t <em>ssh</em> to the actual <em>db.example.com</em> host:</p>
<pre class="wp-block-preformatted">$ ssh -L 3306:db.example.com:3306 remote.example.com</pre>
<p>Now you can run MariaDB commands against your <em>localhost</em> and you’re actually using the <em>db.example.com</em> box.</p>
<h2>Remote port forwarding</h2>
<p>Remote forwarding lets you do things the opposite way. Imagine you’re designing a web app for a friend at the office, and want to show them your work. Unfortunately, though, you’re working in a coffee shop, and because of the network setup, they can’t reach your laptop via a network connection. However, you both use the <em>remote.example.com</em> system at the office and you can still log in there. Your web app seems to be running well on port 5000 locally.</p>
<p>Remote port forwarding lets you tunnel a port from your local system through your <em>ssh</em> connection, and make it available on the remote system. Just use the <em>-R</em> option when you start your <em>ssh</em> session:</p>
<pre class="wp-block-preformatted">$ ssh -R 6000:localhost:5000 remote.example.com</pre>
<p>Now when your friend inside the corporate firewall runs their browser, they can point it at <em>http://remote.example.com:6000</em> and see your work. And as in the local port forwarding example, the communications travel securely over your <em>ssh</em> session.</p>
<p>By default the <em>sshd</em> daemon running on a host is set so that <strong>only</strong> that host can connect to its remote forwarded ports. Let’s say your friend wanted to be able to let people on other <em>example.com</em> corporate hosts see your work, and they weren’t on <em>remote.example.com</em> itself. You’d need the owner of the <em>remote.example.com</em> host to add <strong>one</strong> of these options to <em>/etc/ssh/sshd_config</em> on that box:</p>
<pre class="wp-block-preformatted">GatewayPorts yes # OR
GatewayPorts clientspecified</pre>
<p>The first option means remote forwarded ports are available on all the network interfaces on <em>remote.example.com</em>. The second means that the client who sets up the tunnel gets to choose the address. This option is set to <strong>no</strong> by default.</p>
<p>With this option, you as the <em>ssh</em> client must still specify the interfaces on which the forwarded port on your side can be shared. Do this by adding a network specification before the local port. There are several ways to do this, including the following:</p>
<pre class="wp-block-preformatted">$ ssh -R *:6000:localhost:5000 # all networks
$ ssh -R 0.0.0.0:6000:localhost:5000 # all networks
$ ssh -R 192.168.1.15:6000:localhost:5000 # single network
$ ssh -R remote.example.com:6000:localhost:5000 # single network</pre>
<h2>Other notes</h2>
<p>Notice that the port numbers need not be the same on local and remote systems. In fact, at times you may not even be able to use the same port. For instance, normal users may not to forward onto a system port in a default setup.</p>
<p>In addition, it’s possible to restrict forwarding on a host. This might be important to you if you need tighter security on a network-connected host. The <em>PermitOpen</em> option for the <em>sshd</em> daemon controls whether, and which, ports are available for TCP forwarding. The default setting is <strong>any</strong>, which allows all the examples above to work. To disallow any port fowarding, choose <strong>none</strong>, or choose only a specific <strong>host:port</strong> setting to permit. For more information, search for <em>PermitOpen</em> in the manual page for <em>sshd</em> daemon configuration:</p>
<pre class="wp-block-preformatted">$ man sshd_config</pre>
<p>Finally, remember port forwarding only happens as long as the controlling <em>ssh</em> session is open. If you need to keep the forwarding active for a long period, try running the session in the background using the <em>-N</em> option. Make sure your console is locked to prevent tampering while you’re away from it.</p>
</div>
https://www.sickgaming.net/blog/2019/10/...on-fedora/
<div><p>You may already be familiar with using the <em><a href="https://en.wikipedia.org/wiki/Secure_Shell">ssh</a></em><a href="https://en.wikipedia.org/wiki/Secure_Shell"> command</a> to access a remote system. The protocol behind <em>ssh</em> allows terminal input and output to flow through a <a href="https://fedoramagazine.org/open-source-ssh-clients/">secure channel</a>. But did you know that you can also use <em>ssh</em> to send and receive other data securely as well? One way is to use <em>port forwarding</em>, which allows you to connect network ports securely while conducting your <em>ssh</em> session. This article shows you how it works.</p>
<p> <span id="more-29503"></span> </p>
<h2>About ports</h2>
<p>A standard Linux system has a set of network ports already assigned, from 0-65535. Your system reserves ports up to 1023 for system use. In many systems you can’t elect to use one of these low-numbered ports. Quite a few ports are commonly expected to run specific services. You can find these defined in your system’s <em>/etc/services</em> file. </p>
<p>You can think of a network port like a physical port or jack to which you can connect a cable. That port may connect to some sort of service on the system, like wiring behind that physical jack. An example is the Apache web server (also known as <em>httpd</em>). The web server usually claims port 80 on the host system for HTTP non-secure connections, and 443 for HTTPS secure connections.</p>
<p>When you connect to a remote system, such as with a web browser, you are also “wiring” your browser to a port on your host. This is usually a random high port number, such as 54001. The port on your host connects to the port on the remote host, such as 443 to reach its secure web server. </p>
<p>So why use port forwarding when you have so many ports available? Here are a couple common cases in the life of a web developer.</p>
<h2>Local port forwarding</h2>
<p>Imagine that you are doing web development on a remote system called <em>remote.example.com</em>. You usually reach this system via <em>ssh</em> but it’s behind a firewall that allows very little additional access, and blocks most other ports. To try out your web app, it’s helpful to be able to use your web browser to point to the remote system. But you can’t reach it via the normal method of typing the URL in your browser, thanks to that pesky firewall.</p>
<p>Local forwarding allows you to tunnel a port available via the remote system through your <em>ssh</em> connection. The port appears as a local port on your system (thus “local forwarding.”)</p>
<p>Let’s say your web app is running on port 8000 on the <em>remote.example.com</em> box. To locally forward that system’s port 8000 to your system’s port 8000, use the <em>-L</em> option with <em>ssh</em> when you start your session:</p>
<pre class="wp-block-preformatted">$ ssh -L 8000:localhost:8000 remote.example.com</pre>
<p>Wait, why did we use <em>localhost</em> as the target for forwarding? It’s because from the perspective of <em>remote.example.com</em>, you’re asking the host to use its own port 8000. (Recall that any host usually can refer to itself as <em>localhost</em> to connect to itself via a network connection.) That port now connects to your system’s port 8000. Once the <em>ssh</em> session is ready, keep it open, and you can type <em>http://localhost:8000</em> in your browser to see your web app. The traffic between systems now travels securely over an <em>ssh</em> tunnel!</p>
<p>If you have a sharp eye, you may have noticed something. What if we used a different hostname than <em>localhost</em> for the <em>remote.example.com</em> to forward? If it can reach a port on another system on its network, it usually can forward that port just as easily. For example, say you wanted to reach a MariaDB or MySQL service on the <em>db.example.com</em> box also on the remote network. This service typically runs on port 3306. So you could forward it with this command, even if you can’t <em>ssh</em> to the actual <em>db.example.com</em> host:</p>
<pre class="wp-block-preformatted">$ ssh -L 3306:db.example.com:3306 remote.example.com</pre>
<p>Now you can run MariaDB commands against your <em>localhost</em> and you’re actually using the <em>db.example.com</em> box.</p>
<h2>Remote port forwarding</h2>
<p>Remote forwarding lets you do things the opposite way. Imagine you’re designing a web app for a friend at the office, and want to show them your work. Unfortunately, though, you’re working in a coffee shop, and because of the network setup, they can’t reach your laptop via a network connection. However, you both use the <em>remote.example.com</em> system at the office and you can still log in there. Your web app seems to be running well on port 5000 locally.</p>
<p>Remote port forwarding lets you tunnel a port from your local system through your <em>ssh</em> connection, and make it available on the remote system. Just use the <em>-R</em> option when you start your <em>ssh</em> session:</p>
<pre class="wp-block-preformatted">$ ssh -R 6000:localhost:5000 remote.example.com</pre>
<p>Now when your friend inside the corporate firewall runs their browser, they can point it at <em>http://remote.example.com:6000</em> and see your work. And as in the local port forwarding example, the communications travel securely over your <em>ssh</em> session.</p>
<p>By default the <em>sshd</em> daemon running on a host is set so that <strong>only</strong> that host can connect to its remote forwarded ports. Let’s say your friend wanted to be able to let people on other <em>example.com</em> corporate hosts see your work, and they weren’t on <em>remote.example.com</em> itself. You’d need the owner of the <em>remote.example.com</em> host to add <strong>one</strong> of these options to <em>/etc/ssh/sshd_config</em> on that box:</p>
<pre class="wp-block-preformatted">GatewayPorts yes # OR
GatewayPorts clientspecified</pre>
<p>The first option means remote forwarded ports are available on all the network interfaces on <em>remote.example.com</em>. The second means that the client who sets up the tunnel gets to choose the address. This option is set to <strong>no</strong> by default.</p>
<p>With this option, you as the <em>ssh</em> client must still specify the interfaces on which the forwarded port on your side can be shared. Do this by adding a network specification before the local port. There are several ways to do this, including the following:</p>
<pre class="wp-block-preformatted">$ ssh -R *:6000:localhost:5000 # all networks
$ ssh -R 0.0.0.0:6000:localhost:5000 # all networks
$ ssh -R 192.168.1.15:6000:localhost:5000 # single network
$ ssh -R remote.example.com:6000:localhost:5000 # single network</pre>
<h2>Other notes</h2>
<p>Notice that the port numbers need not be the same on local and remote systems. In fact, at times you may not even be able to use the same port. For instance, normal users may not to forward onto a system port in a default setup.</p>
<p>In addition, it’s possible to restrict forwarding on a host. This might be important to you if you need tighter security on a network-connected host. The <em>PermitOpen</em> option for the <em>sshd</em> daemon controls whether, and which, ports are available for TCP forwarding. The default setting is <strong>any</strong>, which allows all the examples above to work. To disallow any port fowarding, choose <strong>none</strong>, or choose only a specific <strong>host:port</strong> setting to permit. For more information, search for <em>PermitOpen</em> in the manual page for <em>sshd</em> daemon configuration:</p>
<pre class="wp-block-preformatted">$ man sshd_config</pre>
<p>Finally, remember port forwarding only happens as long as the controlling <em>ssh</em> session is open. If you need to keep the forwarding active for a long period, try running the session in the background using the <em>-N</em> option. Make sure your console is locked to prevent tampering while you’re away from it.</p>
</div>
https://www.sickgaming.net/blog/2019/10/...on-fedora/