In certain situations, I need to connect to a remote network via a bastion host but only have SSH available to me. To get around installing some kind of VPN gateway, the easiest thing to do is to create an SSH tunnel.
In this situation, what happens is that you set up local port-forwarding. Local port numbers are forwarded to the remote host via an SSH tunnel to the intermediate host.
The command format to do this on OSX is:
ssh -C -L <LOCAL-PORT>:<REMOTE-IP>:<REMOTE-PORT> <USERNAME>@<BASTION-HOST>
So for example, I can forward local port 1000 on my Mac to the remote device’s port 23 using this command (sudo has to be used for local ports lower than 1024):
sudo ssh -C -L 1000:10.200.0.1:23 labuser@jumpbox.customer.com
Once authenticated, I can open another terminal window and type:
telnet localhost 1000
and hey-presto, I get connected to a remote router via telnet through an encrypted SSH tunnel! The -C parameter is for compression and isn’t actually necessary.
If you need to create a number of local port-forwards, this can be done in a config file instead. By default SSH reads /etc/ssh/sshd_config for system-wide parameters, and also the ~/.ssh/config file (if it exists) for user-specific parameters. I don’t want to port-forward all the time, so I will create a non-standard local config file called ~/.ssh/customer-a.cfg
In this file I put my various port-forwards in this format:
LocalForward 10000 10.200.0.1:23 LocalForward 10001 10.200.0.2:23
Once that is saved, I simply SSH once to the bastion host using the -F switch to specify the local config file that I just created:
ssh -F .ssh/customer-a.cfg labuser@jumpbox.customer.com
Once that’s authenticated, open a second window and telnet to localhost port 10000 or 10001 as required.
Leave a Reply