firestuff/2006-01-23-ssh-tunnelling-101.html

<!--# set var="title" value="SSH Tunnelling 101" -->
<!--# set var="date" value="2006-01-23" -->

<!--# include file="include/top.html" -->

<h2>The Players</h2>

<p>I’ll be referring to 3 hosts:</p>

<ul>
<li>A: The server; this machine is behind a firewall that allows outgoing connections but doesn’t allow incoming.</li>
<li>B: The bounce host; this machine is unfirewalled.</li>
<li>C: The client.</li>
</ul>

<h2>Configuring B</h2>

<p>Some sshd configuration needs to be done on B before any of this will work. In the sshd_config file (/etc/ssh/sshd_config on Debian):</p>

<pre><code>AllowTcpForwarding yes
GatewayPorts yes
</code></pre>

<p>Remember to restart sshd after making changes (/etc/init.d/ssh restart).</p>

<h2>Building the Tunnel</h2>

<p>On A, run:</p>

<pre><code>ssh -g -n -R &lt;port on B&gt;:127.0.0.1:&lt;port on A&gt; &lt;address of B&gt; sleep 999999
</code></pre>

<p>This will hang with no output; that’s the expected result.</p>

<p>You should now be able to connect to the port on B and be talking to A. To get this to restart if the connection dies, run it inside:</p>

<pre><code>while :; do &lt;command&gt;; done
</code></pre>

<p>As with all shell commands, put a “&amp;” on the end to run it in the background.</p>

<h2>Tunnelling FTP</h2>

<p>Due to a trick in the FTP protocol, you can use this tunnelling arrangement but have FTP data connections go directly from A to C, without touching B. This only works with so-called “active” FTP (using the PORT command instead of PASV). C must also be unfirewalled for this to work.</p>

<p>The only thing you’ll need to change is the FTP server configuration. In proftpd.conf, add:</p>

<pre><code>AllowForeignAddress on
</code></pre>

<p>For pure-ftpd, run it with the “-w” commandline flag, or with a file named “AllowUserFXP” and a contents of “on” if you’re using pure-ftpd-wrapper.</p>

<!--# include file="include/bottom.html" -->