====== Tunneling stuffs ====== ===== Surf though distant server ===== If you want your Firefox to connect though your server : foward port 9999 to your server ssh -ND 9999 gaspard@freelancis.net In Firefox, go into Parameters > Advanced > Network click on the Settings button {{:ressources:ssh:firefox_advanced.png|Firefox 3 mac}} Set a Sock5 Proxy {{:ressources:ssh:firefox_proxy.png|}} Type about:config into the firefox navigation bar, then change the socks_remote_dns key to true {{:ressources:ssh:firefox_proxy_config.png|}} ===== Gate an application ===== I don't have access to Internet through protected network from this machine, so I connect to my local work computer 192.168.138.20 then I go on http://localhost:9999 and from there I am surfing on freelancis.com FIXME more user cases to be determined there, ie http://www.macosxhints.com/article.php?story=20080419233314333 for a remote daap access ssh -NL 9999:freelancis.net:80 192.168.138.20 This command redirects localhost:9999 to freelancis:80 though 192.168.138.20 {{:ressources:ssh:firefox_redirect_local.png|}} ===== Chain SSH Tunnels ===== Say you want to reach dest, but have to tunnel through foo because you don't have direct access to port 22 on dest. ssh -NL 65001:dest:22 foo & ssh localhost -p 65001 Welcome to dest! $ How to connect to freelancis.net through 192.168.138.20 ? ssh -f -NL 65001:freelancis.net:22 192.168.138.20 & ssh localhost -p 65001 the -f option allows me to type the required password. combining Sock5 and chain tunneling would look like that (it seems to work for me but i am not pretty sure that it could work everywhere) ssh -f -NL 65001:freelancis.net:22 192.168.138.20 && ssh -ND 9999 localhost -p 65001 If you need to tunnel through multiple gateways to reach the machine you want to connect to, this is how to do it. Now let's say you have to jump through foo, bar and wibble to get to dest. ssh -NL 65001:bar:22 foo & ssh -NL 65002:wibble:22 localhost -p 65001 & ssh -NL 65003:dest:22 localhost -p 65002 & ssh localhost -p 65003 Welcome to dest! $ Obviously you don't need to use ports starting with 65001, but can pick any convenient unused local ports. You can use different usernames and SSH ports if necessary, eg if you have to connect to wibble as dave on port 222, that line becomes: ssh -NL 65002:gaspard@freelancis.net:222 localhost -p 65001 ===== Pipe VNC to local network ===== I want to remotely connect on VNC on port 5900 but, naturally, prt 5900 is firewalled to prevent unsollicited connexions from hosts that aren't on my local network. As I am not totally paranoïd, sshd is accessible from Internet though. Redirect mylaptop:9998 to mydistantserver:5900 using mydistantserver:22 as gateway. ssh -NL 9998:idunn.local:5900 idunn.freelancis.net Then on ChickenOfTheVNC (or any other vnc client) I specify connect to localhost:9998 and using the distant vnc password. {{:ressources:ssh:vnc-tunnel.png|}} ===== Use a local server to pipe some music for iTunes ===== on the local server with [[:ressources:ubuntu:bonjour]] installed, I add the _daap._tcp announcement for [[:ressources:ubuntu:bonjour#advertise_services|network advertising]] on iTunes music service (called daap) _daap._tcp 3689 Then, redirect incoming daap connections from any port to the remote machine (on the same port) ssh -gNL 3689:localhost:3689 gaspard@idunn.freelancis.net note the -g parameter than allows to do fowarding port redirection from any machine and not only localhost. ===== Misc useful stuffs ===== to be organized # redirects local 9999 to remote 3333 # ssh -NL 9999:localhost:3333 gaspard@192.168.138.20 # assume local 9999 is used by remote # ssh -ND 9999 gaspard@192.168.138.20 #on nyx # ssh -NL 9999:localhost:3333 gaspard@192.168.138.20 #on 192.*.20 # ssh -NL 3333:192.168.138.20:3333 gaspard@freelancis.net #man sample # $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10 # $ irc -c '#users' -p 1234 pinky 127.0.0.1 # $ ssh -D [bind_address:]port # Specifies a local ``dynamic'' application-level port forwarding. # This works by allocating a socket to listen to port on the local # side, optionally bound to the specified bind_address. Whenever a # connection is made to this port, the connection is forwarded over # the secure channel, and the application protocol is then used to # determine where to connect to from the remote machine. Currently # the SOCKS4 and SOCKS5 protocols are supported, and ssh will act # as a SOCKS server. Only root can forward privileged ports. # Dynamic port forwardings can also be specified in the configura- # tion file. # # IPv6 addresses can be specified with an alternative syntax: # [bind_address/]port or by enclosing the address in square brack- # ets. Only the superuser can forward privileged ports. By # default, the local port is bound in accordance with the # GatewayPorts setting. However, an explicit bind_address may be # used to bind the connection to a specific address. The # bind_address of ``localhost'' indicates that the listening port # be bound for local use only, while an empty address or `*' indi- # cates that the port should be available from all interfaces. # # $ ssh -L [bind_address:]port:host:hostport # Specifies that the given port on the local (client) host is to be # forwarded to the given host and port on the remote side. This # works by allocating a socket to listen to port on the local side, # optionally bound to the specified bind_address. Whenever a con- # nection is made to this port, the connection is forwarded over # the secure channel, and a connection is made to host port # hostport from the remote machine. Port forwardings can also be # specified in the configuration file. IPv6 addresses can be spec- # ified with an alternative syntax: # [bind_address/]port/host/hostport or by enclosing the address in # square brackets. Only the superuser can forward privileged # ports. By default, the local port is bound in accordance with # the GatewayPorts setting. However, an explicit bind_address may # be used to bind the connection to a specific address. The # bind_address of ``localhost'' indicates that the listening port # be bound for local use only, while an empty address or `*' indi- # cates that the port should be available from all interfaces. #