Friday, October 01, 2010

Remote port forwarding - exposing an internal webserver

Example 4: Remote port forwarding - exposing an internal webserver

Remote port forwarding is sometimes useful for granting temporary access to services on clients which are otherwise unreachable (perhaps the client has an unreachable rfc1918 address behind a NAT or firewall). If the client is not configured to accept inbound SSH connections, this can be done with remote port forwarding on an outbound connection. (For OpenSSH, note that you may need to set "GatewayPorts yes" in "sshd_config" to achieve on the server what "ssh -g" would do on the client (allow any host to connect to the forwarded port).

Consider a PC which is running a webserver but is protected by firewall rules to accept no inbound connections (except from itself). Furthermore imagine this host has the unrouted private address 192.168.1.1 and can access the internet only outbound through a NAT. If you believe it is not too risky, you can briefly make that server publicly available with ssh port forwarding (such as while you're on the phone with someone) if you think the risk of serving sensitive data to a random hacker while it is publicly exposed is acceptably low and you can ssh from the PC to a host with a public address. To do so, you can establish an ssh connection such as this:

ssh -R4567:localhost:80 some-server
which will make it look like your PC's webserver is a server on "some-server" at port: 4567. Anyone who connects to:
http://some-server:4567/some/path
will get the same webpage you get on your PC when you connect to:
http://localhost:80/some/path

參考來源:

"ssh -R4567:localhost:80 some-server which will make it look like your PC's webserver is a server on "some-server" at port: 4567. Anyone who connects to: http://some-server:4567/some/path"
- NDC Logical Firewall - SSH Port Forwarding (在「Google 網頁註解」中檢視)

No comments: