Digging tunnels with SSH

SSH tunnels are an old trick, which is recently getting increasingly popular with all this content filtering happening at the corporate or even at the national level. This article demonstrates how to use SSH tunnels, bypass content filters and avoid port restrictions, even through HTTP proxy servers.

No time to waste, we will keep this article short and to the point. Tunneling modes:

Local or -L <local port>:<remote host>:<remote port>

This mode allows you to bind a port on your side of the SSH connection and if you connect to it, your connection will be forwarded to the remote host on remote port. For remote host‘s point of view, the connection will seem to originate from the machine or device that you have SSH-ed into, therefore you can use that method to reach hosts and ports unreachable to you, but reachable from the server that you have SSH-ed into. This will be useful if you want to access the intranet web server at your office, but you only have SSH access to another server – in this case you would use ssh -L 8080:<intranet web server>:80 <another server with ssh> and then you will open in your browser. You can further extend that access to the local LAN that you are in if you type ssh -L<intranet web server>:80 <another server with ssh> (assuming that is your IP in the local LAN) which will allow everyone in the local LAN to access the intranet web server by typing in their browsers.

Remote or -R <remote port>:<local host>:<local port>

Well, the remote more allows you to do just the opposite – with this mode you can SSH into a remote server and listen for connections on remote port. Then if someone connects to that port, the connection will be forwarded to local host on local port, where local host is a machine which is accessible from your workstation or from wherever you are running the command. From local host‘s point of view, the connection will be originating from your workstation. If we use the example from above, and for the sake of the example we will assume that you are abroad and you need to access the intranet web server, but SSH connections are not allowed from the Internet – then a colleague of yours can SSH into a server in the Internet with the following command ssh -R 8080:<intranet web server>:80 <internet ssh server>, thus granting you with access to the intranet web server, if you manage to access port 8080 on the internet ssh server. The tricky part here will be that by default your newly created listener on port 8080 will be bound to the loopback address, otherwise known as This is for security and can be changed by setting the GatewayPorts option of the SSH server running on the internet ssh server to either yes or clientspecified. Ofcourse the other way around this will be for you to create a local tunnel by running ssh -L 8080: <internet ssh server> and then open in your browser.

SOCKS proxy mode or -D 1080

This will create a SOCKS proxy server on your workstation and will allow you to point your browser or any SOCKS proxy aware program to it, thus avoiding content filtering or port filtering at your end and also securing your traffic with an additional layer of encryption. A little trick that you could utilize with this method, if the program that you need to run is not SOCKS aware, would be to use the tsocks package available in most modern distributions. What this little software does is to transparently intercept all connections that your program creates and then forward the to the SOCKS server. In Ubuntu you can install it by running $ sudo apt-get install tsocks and then you need to tweak the options in /etc/tsocks.conf by setting server =, server_type = 4 and server_port = 1080. Now when you start your program just type tsocks in the beginning of the command line, which will do set LD_PRELOAD to dynamically load the tsocks library responsible for the interception of the connections.

And speaking of tricks, in corporate environments you will frequently find yourself in a situation where the only Internet access that you can get your hands on will be through a HTTP proxy. Fear not, as corkscrew comes to the rescue! This simple tool uses the CONNECT method, implemented by all proxies for connecting to SSL encrypted sites, to establish a TCP connection through the proxy. Just install the package by typing $ sudo apt-get install corkscrew and the append -o ProxyCommand corkscrew <proxy server IP> <proxy server port> %h %p to your ssh command. Here you will have to keep in mind the some of the proxies only allow the CONNECT method to be used on port 443, so it might be a good idea to have an SSH server running on port 443 – just in case. And ofcourse that if you are running the SSH server on any port different than 22 (443 for example), don’t forget to specify the correct SSH server port by appending -p <SSH server port> to your ssh command.

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>