SSH port forwarding – as a secure proxy

I’ve built a local SSH proxy to secure traffic whilst I update this blog, so thought I would explain the syntax in some more detail than my previous post SSH Port Forwarding

The ssh utility in Linux has a feature which allows forwarding of a local port to a remote host in a number of ways. I use the -L option to forward a local port on a proxy host to a remote server, to save establishing an ssh tunnel from each machine I work from within my network.

The ssh man page explains it like this :

-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a con-
nection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be spec-
ified with an alternative syntax:
[bind_address/]port/host/hostport or by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.

Simple use of the -L option as per my previous post indicates that the following command will translate a connection to a port on the localhost running ssh as a socket connection from the remote host. For example :

ssh -L 8888:127.0.0.1:80 [email protected]

As explained previously, this command will take a connection to port 8888 on the localhost address of my machine (127.0.0.1) and tunnel the traffic through the ssh connection and present it from the localhost adapter on the server to the service listening on port 23, usually the telnet daemon. Worth noting, I could have forwarded port 23 on my local host, however with this being a special port I would require root access.

This method combined with autossh (to keep the tunnel live) and a small caching DNS server daemon on my LAN (DNSMasq), which points this blog to an internal IP address I can tunnel all traffic to my web server securely..