The StackOverflow discussion What’s ssh port forwarding and what’s the difference between ssh local and remote port forwarding [duplicate] has a good visual comparison/explanation of the difference between the
ssh -L(-Lstands for local) andssh -R(-Rstands for remote).sshtunnel is a Python implementation of SSH tunnel (based on paramiko) .
SSH Tunnel¶
You can create a SSH tunnel from your local machine to a server using the command below.
:::bash
ssh -i /path_to_key -fND 1080 user@server_ipThe created SSH tunnel is essentially a socks5 proxy
and can be accessed as localhost:1080.
If you want the tunnel (socks5 proxy) to be accessible by other machines as well
rathe than the localhost only,
you can bind it to all IPs.
:::bash
ssh -i /path_to_key -fND "*:1080" user@server_ipYou can verify that the tunnel (socks5 proxy) is working using the following command.
:::bash
netstat -tlnpOr you can try to visit a website using curl through the socks5 proxy.
:::bash
curl --socks5 localhost:1080 www.google.comReverse SSH Tunnel¶
:::bash
ssh -fN -L 8888:localhost:8888 user@domain.com
ssh -o ProxyCommand='ssh <bastion_server> -W %h:%p' -R 20000:localhost:22 <target_server>For more discussions,
please refer to
reverse
Advanced Usage 1: SSH into a Server Using Proxy¶
:::bash
ssh -o ProxyCommand='ssh bastion_server -W %h:%p' target_serverAdvanced Usage 2: SSH Tunnel to Avoid 2FA¶
Suppose you have 2 machines A and B. Machine B is only accssible from machine A using SSH through 2FA. You can create and persist a SSH tunnel from machine A to machine B (2FA is still required when creating the SSH tunnel). Then you can avoid 2FA when connecting from machine A to machine B by using the created SSH tunnel as socks5 proxy through tools such as ProxyChains.
If you do not want to rely another another tools (such as ProxyChains), you can configure SSH to persist and reuse connections. For more discussions on this, please refer to the SSH Tunnel - Multiplexing / ControlMaster .
Advanced Usage 3: Access Service in an Indirectly Accessible Remote Server¶
Suppose you have 2 machines A and B. Machine B cannot visit the public network or machine A. However, machine B is accssible (directly or via a bastion server) from machine A using SSH and machine A can visit the public network. You can follow the steps below to access service running on machine B.
Start the service on machine B if it is not already running. Let use the JupyterLab server as an example here, and assume it is running on the port 8888 on machine B.
Run the following command on machine A to forward visits of the port 3333 on machine A to the port 8888 on machine B.
:::bash ssh -fNL 3333:localhost:8888 ip_of_machine_bYou can then visit
ip_of_machine_a:3333to access the JupyterLab service running on machine B.
Advanced Usage 4: SSH Reverse Tunnel + SSH Tunnel¶
:::bash
ssh -o ProxyCommand='ssh bastion_server -W %h:%p' -R 20000:localhost:22 target_serverAdvanced Usage 5: SSH Reverse Tunnel + SSH Tunnel¶
Suppose you have 2 machines A and B. Machine B cannot visit the public network nor machine A. However, machine B is accssible (directly or via a bastion server) from machine A using SSH and machine A can visit the public network. You can follow the steps below to access the public network from machine B.
Create a Reversed SSH tunnel from machine A to machine B.
:::bash ssh -i /path_to_key -o ProxyCommand='ssh bastion_server -W %h:%p' -R 20000:localhost:22 ip_of_machine_bCreate a SSH Tunnel on machine B.
:::bash ssh -i /path_to_key -fND 1080 localhostUse the created SSH Tunnel as a socks5 proxy to visit the public network via proxychains.
:::bash proxychains pip3 install pytorch