Lucky for us all there is the -D option for the ssh command. This option turns the ssh connection in to a SOCKS proxy on the remote server. The potential uses for this are huge. I often use this feature to gain quick access to my whole network.

Setting it up

superbox$ ssh -D 31337 someserver

Using it

To use this you will need to configure your applications to connect through the SOCKS proxy. Firefox is pretty easy to configure. The settings for the proxy live in the Preferences under the Advanced section in the Network tab. Click the Settings… button to bring up a dialog similar to the one on the right. Set the SOCKS host to localhost and the port to the one you chose when connecting.

Now that the proxy is setup you can test out that you’re proxy is working by visiting http://whatismyipaddress.com/ to check to see if it looks like you are accessing the site from a new IP address.

In the next installment of SSH Tricks we’ll talk about using ssh config files to save time and energy.

Overview

Port forwards are a way of mapping a TCP from one side of the ssh connection to the other. They are established using the -L and -R parameters to the ssh command. These stand for local and remote port forwards. A local forward takes a port on the local machine and connects it to an IP address and port from the remote machine. As you suspect, a remote forward takes a port on the remote machine and connects is to an IP address and port from machine you are connecting from.

Examples

You could forward port 80 from an  internal web server to port 8188 on the machine you are connecting from. This is a sort of poorman’s VPN. You can gain access to resources inside your network via SSH local port forwards. After connecting to your gateway machine you would be able to access the web server at http://localhost:8188.  To actually do this the command would look like this:

superbox$ ssh -L 8188:internalweb:80 homerouter

Another common use for this is securing VNC access. Many VNC servers offer the option to only accept connections from localhost. By combining this option with a ssh local forward  you can create an encrypted VNC session. This would be done by doing:

superbox$ ssh -L 5900:localhost:5900 vncserver

Remote port forwards are much less common. Lets say you have a local web server running on your workstation and you’d like your friend to take a look at an error on a hot new web app. you’re developing. The catch is you don’t want to let them login to your machine to do a local forward to gain access to your server. In this case you could use a remote port forward like this:

superbox$ ssh -R 8188:localhost:80 untrusted-friend

Your somewhat trustworthy friend could then access your web server at http://localhost:8188.

In the next installment of this series we will reveal a way to make your SSH connection behave even more like a VPN.