Thursday 6 February 2020

An SSH tunnel via multiple hops


Tunneling data over SSH is pretty straight-forward:


ssh -D9999 username@example.com

sets up port 9999 on your localhost as a tunnel to example.com, but I have a more specific need:



  • I am working locally on localhost

  • host1 is accessible to localhost

  • host2 only accepts connections from host1

  • I need to create a tunnel from localhost to host2


Effectively, I want to create a "multi-hop" SSH tunnel. How can I do this? Ideally, I'd like to do this without needing to be superuser on any of the machines.



Answer



You basically have three possibilities:




  1. Tunnel from localhost to host1:


    ssh -L 9999:host2:1234 -N host1

    As noted above, the connection from host1 to host2 will not be secured.




  2. Tunnel from localhost to host1 and from host1 to host2:


    ssh -L 9999:localhost:9999 host1 ssh -L 9999:localhost:1234 -N host2

    This will open a tunnel from localhost to host1 and another tunnel from host1 to host2. However the port 9999 to host2:1234 can be used by anyone on host1. This may or may not be a problem.




  3. Tunnel from localhost to host1 and from localhost to host2:


    ssh -L 9998:host2:22 -N host1
    ssh -L 9999:localhost:1234 -N -p 9998 localhost

    This will open a tunnel from localhost to host1 through which the SSH service on host2 can be used. Then a second tunnel is opened from localhost to host2 through the first tunnel.




Normally, I'd go with option 1. If the connection from host1 to host2 needs to be secured, go with option 2. Option 3 is mainly useful to access a service on host2 that is only reachable from host2 itself.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...