2

I am using Putty to achieve SSH Reverse Tunnel Port Forwarding. Most of the tutorials are teaching me to forward remote port to localhost port. However, may I know is it make sense to input other host such as 192.168.1.132:8081 into the Destination field?

I have tried to do that. 192.168.1.132:8081 is a working web server with a contented page, but I got ERR_EMPTY_RESPONSE when I visit localhost:12345 (I set port 12345 as the source port) from the client device.

My Putty Configurations

Outgoing Proxy configuration:

Outgoing Proxy configuration

Tunneling config (the Dynamic one is for the Socks5 connection, please just ignore it; the R12345 one is the tunnel that I am playing with):

Tunneling config

The result that I try to access the tunnel from the Destination (SSH Server):

The result that I try to access the tunnel from the Destination (SSH Server)

Can anyone help me?

UPDATE 1

In the device that I am running SSH command, I am going out with via a proxy server. Is that affecting the reverse tunnel behavior?

UPDATE 2

I have tried to make the reverse tunnel from the http server directly. However, in the SSH server I can visit the website by http://localhost:12345. Attched setting and result at below.

Same, http server needed to go out via my office's http proxy too!

Create a reverse tunnel from http server

And then I can visit the http server from SSH server via localhost:12345

Improve this question
11
  • @KamilMaciorowski Sorry for undetailed question. I have updated the question with some image.
    – mannok
    Commented Jan 19, 2018 at 7:08
  • 1
    What happens when you browse 192.168.1.132:8081 from the SSH client? (with no SSH involved in this case at all). Do you see proper page?
    – Kamil Maciorowski
    Commented Jan 19, 2018 at 7:21
  • @KamilMaciorowski Sure, normal page, normal performance
    – mannok
    Commented Jan 19, 2018 at 7:34
  • 1
    Please read this. The HTTP server at 192.168.1.132:8081 may ignore requests destined to addresses other than 192.168.1.132. When you connect from the remote side of your SSH connection, the address is localhost:12345 and it doesn't fit. If the tunnel didn't work at all, you would get ERR_CONNECTION_REFUSED, not ERR_EMPTY_RESPONSE. TOOGAM's answer is right: in general you can build tunnels this way.
    – Kamil Maciorowski
    Commented Jan 19, 2018 at 7:44
  • @KamilMaciorowski I see. That means the empty response is generated by the http server right? Because of invalid domain/hostname? But when I type localhost:8081 is the http server, I can access the page. In this case the requesting hosename is localhost too!
    – mannok
    Commented Jan 19, 2018 at 8:01

4 Answers 4

Reset to default
1

Yes!

BUT you need to understand, that this other_host that you will be specifying is at the context of the LAN network of the ssh client. Because the ssh client and the ssh server could be in two different LAN networks.

For example:

ssh -R 1234:192.168.1.69:4321 [email protected]
#                 ^
#                 |_ other_host

Then, you better be sure that 192.168.1.69 is pingable from your end (the ssh client). There could be a machine with similar ip address of 192.168.1.69 within terabithia.com's reach in terabithia's network LAN, but that is not the other_host that is being referred to in the above snippet.

Some subtle things to take note of:

  • Despite you setup a listening tcp port 1234 inside terabithia.com, but this not publicly accessible in terabithia.com. Meaning that, if you check for port opening by nc -w 5 -z terabithia.com 12202 && echo "open" || echo "close" then you will see the close message printed as the port is only accessible inside terabithia.com.
  • The command nc -w 5 -z localhost 1234 always succeeds inside terabithia.com even if there is no listening port in the other_host or even if other_host is non-existent at all. In this cases, the error messages are printed in the ssh client console.
  • As ssh is tcp-based connection-oriented communication protocol therefore, you will need other tools in combination such as nc or socat to forward UDP ports.
  • Two major confusion is the use of -R versus -L. The trick for easy understanding this topic is to think that the ssh client and the ssh server belongs to two different network LANs. The context of other_host is taken from the ssh client's LAN if -R is used. Otherwise if -L, then the context is taken at the ssh server's LAN.
  • Only -L can open a publicly accessible port if you add the address binding field.
Improve this answer
0

Yes, you can do that, but if you don't understand how it works, it is easy to make incorrect assumptions.

If I recall correctly (it's been a several months, so in the interest of getting you an answer quickly, I hope I'm getting this right...)
a tunnel specified as with the "Local" port will cause a piece of software, which I will call a "listener", to listen on the machine running the SSH client. A "Remote" port will cause a piece of software, which I will call a "listener", to listen on the machine running the SSH server.

Understanding Localhost with Tunnels:
Now, here's the really tricky part that can easily through you for a loop. Normally, when you're on one computer, you think that "localhost" refers to that computer. But, um, no. It is best to think of the "destination" field as text. So after the listener receives traffic, the listener will forward that traffic through the local SSH software, which will encrypt the data and push the traffic through the tunnel. The side that is sending the traffic will also provide the "destination" information. Then the remote SSH software will receive that traffic, and look at what the destination says, and then try to send the traffic there.

So, if you type "localhost" on your client, the text "localhost" gets sent through the SSH tunnel, and it is actually the remote end which will resolve "localhost". So, localhost can easily refer to a different machine than the machine you type the name on.

Improve this answer
1
  • 1
    Your general answer is right but the "localhost" explanation is rather opaque, especially in context of the question, because: (1) OP's SSH settings don't involve localhost at all; the only usage is localhost:12345 in the remote side browser, which is right. (2) We're talking about remote forwarding, so the destination (if it was localhost or whatever) is resolved locally anyway. Destination is resolved on the non-listening end of any tunnel. The confusion may appear in case of local forwarding (example) where non-listening end is the remote one.
    – Kamil Maciorowski
    Commented Jan 19, 2018 at 8:04
0

Can I use other host instead of localhost for Destination Field in SSH Reverse Tunnel Port Forwarding?

Yes, you can put any host you want in the destination host field

Command line tunnel definitions

For the purposes of this answer I will use the form X:Y:Z, which is how the command line SSH client describes tunnels, where this tunnel:

  • Source Port
    • 1234
  • Destination
    • localhost:4321

would be described as 1234:localhost:4321

How tunnels work

There are 2 types of tunnels that have a destination set:

Local tunnels

For a tunnel defined as X:Y:Z you can treat the traffic as being sent into the client at port X, and the server connecting to host Y on port Z, and forwarding any traffic through.

Remote tunnels

For a tunnel defined as X:Y:Z you can treat the traffic as being sent into the server at port X, and the client connecting to host Y on port Z, and forwarding any traffic through.

What can you use tunnels for

Local tunnels can be used for:

  • Accessing services that are not accessible over the internet
  • Accessing services that can only be used from a specific IP

Remote tunnels can be used for:

  • Allowing remote systems to access ports on your local machine without exposing them to the internet
  • Exposing other systems on your network over the internet
Improve this answer
0

If you have specified a proxy then in some cases you need to add the local IP address (192.168.1.132 in this example) to the "excluded hosts/IP address" list in the proxy settings panel. Otherwise the reverse ssh connection going through putty will try to connect to the local IP address using the proxy.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .