Port forwarding from the remote side

7.2 Port forwarding from the remote side

Let us now reverse the situation. Let’s say Jack gets home, and wants to connect to his office computer from home. This poses a different problem because no computer at work has a SSH server. Worse yet, the company router blocks all incoming port 22 traffic anyway.

Jack can overcome this difficulty without breaching network security at work. We can assume that the configuration is the same as the previous section. In order to reverse the direction, here is what Jack needs to do.

Jack has to add a line to /etc/ssh/sshd_config on the SSH server at home:

GatewayPorts yes

Then he has to restart the SSH server:

/etc/init.d/ssh restart

This enables the SSH server to listen to incoming connections from not only localhost, but from all of its interfaces.

On the office computer, install x11vnc as a bridge and a VNC server. We can assume that Jack configures x11vnc to listen to port 5902 on this machine. Not trusting his colleagues, Jack can block all incoming traffic into his office machine.

Before Jack leaves work, he has to start x11vnc and run the following command:

ssh -R 192.168.5.20:5907:localhost:5902 someone@somehost

Let’s chop the -R option down to explain it a little more:

192.168.7.20
This specifies the binding address of the SSH server. If this is not specified, it defaults to localhost. Note that this address is seen from the perspectives of the SSH server, which in our example is running in Jack’s home.
5907
This specifies which port the SSH server should listen to.
localhost
This specifies the destination host, seen from the computer running the SSH client. In this case, this refers to Jack’s office computer.
5902
This specifies the destination port on Jack’s office computer.

Essentially, the -R option says “all connections made to 192.168.5.20 port 5907 on the SSH server at somehost will be forwarded to port 5902 of the localhost of the SSH client.”

One the connection is established, Jack and go home. When Jack arrives home, he has to install a VNC client on his desktop machine (192.168.5.3). Then he can run the following command:

vncviewer -encodings hex 192.168.5.20:7

This command attempts to connect to port 5907 of the local machine 192.168.5.20. Fortunately, port 5907 of 192.168.5.20 is already being monitored by the SSH server because of the SSH command Jack used at work. As a result, the connection is forwarded to port 5902 of Jack’s work computer running the SSH client. Port 5902 on Jack’s work computer is being monitored by the VNC server. As a result, Jack will successfully connect the VNC client from his home desktop computer to the work computer, and be able to remotely control the desktop at work.

How much security exposure has Jack opened up? This set up essentially extends his office computer to his home computer. If we can assume that his home computer is no less secure than his work computer, then there is no problem.

[prev] [prev-tail] [front] [up]