Those documents are obsolete, please use the Nethence Documentation
There are several types of SSH tunnels.
Depending on the tunnel types described below, eventually consider those hosts :
- a workstation at home, named 'homestation'
- a personal server, named 'myserver'
- a workstation behind NAT and firewalls, named 'entstation'
- a server behind NAT and firewalls, named 'entserver'
- a bounce server behind that same NAT and firewalls, named 'bounceserver'
1/ From your home workstation, you want to secure POP3 sessions against your personal server. In example, you want myserver's port 110 locally at port 1025. Initiate the tunnel from 'homestation',
ssh -L 1025:localhost:110 user@myserver
2/ From the enterprise workstation, you want to use your personal server's proxy. In example, you want myserver's port 8080 locally at the same port. Initiate the tunnel from 'entstation',
ssh -L 8080:localhost:8080 user@myserver
From your personal server, you want to access the enterprise server which is protected behind firewalls and NAT, possibly. In example, you want to send entserver's port 22 to myserver's port 2290.
You need to initiate the remote tunnel from 'entserver',
ssh -R 2290:localhost:22 user@myserver
Reverse tunnel through bounce
From 'mserver' you want to access 'entserver1' and 'entserver2' through a bounce server (possibly windows + cygwin or openssh for windows), all behind firewalls and possibly NAT. In example, you want to send entserver1's port 22 to myserver's port 2291 and enserver2's port 22 to myserver's port 2292.
You need to initiate the remote tunnels from 'bounceserver',
ssh -R 2291:entserver1:22 user@myserver
ssh -R 2292:entserver2:22 user@myserver
Note. once everything works, add the "-nNT" options to the ssh command to go background.
You may also want to add a watchdog loop.
Prepare an authentication without a password (see http://pbraun.nethence.com/doc/security/sshd.html). You may want to create a restricted user on your personal server for the occasion.
Then make a watchdog loop,
while true; do
ssh -nNT -R 2290:localhost:22 user@myserver
Enable at startup, e.g. on HP/UX,
[[ $1 = start ]] || exit 1
fix the perm,
chmod +x S999watchdog
Last update: Jan 02, 2011