20

I'm using ssh root@my.server.ip -g -L 4321:localhost:28017 to establish a tunnel from my MacBook to my dedicated server at my hosting provider. It works well. Now I want to access several admin sites on the remote server (a MongoDB status page, a RabbitMQ page etc, all on different ports). All of them are bound to 127.0.0.1 on the remote machine. How can I tweak this ssh command to

  • assign a name to the tunnel and use e.g. "my.tunnel.name" in my browser
  • to be able to define the remote port in my browser; I would like to connect to my.tunnel.name:port, in order to be able to call the different sites

Is this possible with ssh? I've read the man pages and googled around for two days now, but it does not seem to work.

--edit 2012-06-01 23:36-- Thanks to the provided answers and comments the port forwarding works now using

ssh user@remote.server -D 4321

I can set this up as a proxy in my browser and the browser will treat any request to localhost:anyport as if it was made on the remote server. Using a name is now not necessary, since the browser is for remote server sites only.

brains_at_work
  • 303
  • 1
  • 2
  • 5

3 Answers3

27

You can assign a name by using the fact your loopback adapter will basically respond to any address in the 127.0.0.0/8 network.

So instead of binding to port 4321 you could bind to 127.1.2.3:4321. Then simply setup a host entry that map a name to the loopback address that you used so foo.bar maps to 127.1.2.3.

In my SSH configuration on my admin workstation I have many tunnels configured so that they bind to some address in the loopback range, and I have entries in my host file so I open up many tunnels in parallel using the same port and distinguish between them via name.

So if you connect like this

ssh root@my.server.ip -g -L 127.1.2.3:4321:localhost:28017

And your hosts file has a line like this.

127.1.2.3 my.tunnel.name

Then you should be able to connect to my.tunnel.name:4321 from your local machine.

If you have additional IP address space on the network your ssh client is connected to you could even assign a secondary address to your Ethernet interface and use one of your real IPs, and then setup entries in your DNS if you wanted other systems to be able to use your SSH tunnel.

The -L option -L [bind_address:]port:host:hostport will let you use any valid IP address on the local system to bind to. You do need to include the -g option as well if you want other hosts to be able to connect via your ssh tunnel.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 1
    I had to add the ip's to my loopback in osx. `ifconfig l0 alias 127.0.1.1 255.255.255.0` otherwise great tip! – devians Jun 15 '12 at 01:46
  • 2
    If you don't want a shell to be created, run `-N` at the end of the command. This way it's easier to remember that it's a tunnel, not just any SSH connection. – mlissner Nov 05 '15 at 18:37
  • 2
    When using `127.1.2.3` I had to do this on my macbook: `ifconfig lo0 alias 127.1.2.3 255.255.255.0`, which adds `127.1.2.3` as a new address on interface `lo0`. – Donn Lee Mar 05 '19 at 06:52
14

What you describe is not possible. But there's still good news:

What is possible however is to establis a Dynamic connection with the SSH Server. This will open a port on your local computer to which you can point the Proxy setting of your Browser and allow you to use the tunnel as a proxy server. But you have to type a hostname/ip and port into the browser as if the browser were running on the machine the SSH Server is on.

Command looks like this: ssh user@server.example.com -D 1234
Then point your browser's proxy to localhost:1234.

So if you tunnel into Server A, and want to connect to server B, you type into your browser whatever address you would type into a Browser running on Server A. If a browser running on server A could not connect to Server B (if the process on Server B only listens on 127.0.0.1) then you still couldn't connect. It sounds like you just have the one server, but I wanted to be sure this was clear.

If you just have the one server, you tunnel into it with the Dynamic connection, set your proxy. You will then be able to type "localhost:1234" (for example) into the browser and it will connect to the service running on the remote server on port 1234.

Securit Side Note: Never never never setup a server where root can SSH in! Serious security flaw. Create a normal user account (who is allow to su or sudo) and SSH in as that user.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • 2
    You're using -L 1234 (local port forward) when you should be using -D 1234 (dynamic port forward). And perhaps also avoid using -g, -g means that remote hosts can connect to your forward which is not what you want if you're doing this from your workstation. – Mattias Ahnberg Jan 06 '12 at 21:17
  • Thanks, Chris. I' already tried that. I cannot use the ssh command with just a port specified. It returns an error: "Bad local forwarding specification '1234'" – brains_at_work Jan 06 '12 at 21:37
  • @matthias-ahnberg : Great, that did the trick. with the dynamic forwarding, I can now use the port as a proxy and localhost:someport calls are directed to the remote server. – brains_at_work Jan 06 '12 at 21:50
  • @MattiasAhnberg Wow, what a brainfart. Thank you for the correction. – Chris S Jan 06 '12 at 21:53
  • I followed this process but got "The connection was reset" error in firefox. – rivu Jul 10 '14 at 21:16
6

Create a Dynamic application-level port forwarding (socks proxy basically) with your SSH tunnel, and then point your applications through this one. To create a dynamic tunnel, connect as follows:

ssh user@host.domain.com -D 127.0.0.1:31337

Then configure your application to use this as a SOCKSv5 proxy.

If you want a hostname bound to this, just add /etc/hosts entries that points to 127.0.0.1, but a more pretty way might be to add 127.0.0.2 for the first tunnel, and a hosts entry for this one, 127.0.0.3 for the second tunnel and a separate host entry for this one, etc. If you add aliases for 127.0.0.1, sometimes this alias will appear in other commands lookups of localhost which can be confusing!

To smoothly use this in a webbrowser you can use a proxy addon, as an example I favor the Chrome webbrowser and for this one I use an addon called Proxy Switchy!. You can download it here:
https://chrome.google.com/webstore/detail/caehdcpeofiiigpdhbabniblemipncjj

In the configuration of this addon I can define several separate proxies, and then bind regular expressions of hosts/URLs to use certain proxies, this way I'll always be properly redirected through the right tunnels without having to manually switch. Please let me know if you need further clarification on any of the steps!

Mattias Ahnberg
  • 4,039
  • 18
  • 19