Since I have to get out to Hankø as soon as possible after work today to help the re-bolting guys I decided to work from home to save some time (the train ride to work lasts for one hour). When I sat down to give some of our consultants some more tickets on our Trac I remembered that I could no longer reach our internal development machine via the firewall at work because of some ongoing network changes. The firewall at work has a port that is forwarded to port 22 on our development machine so we can more easily access the machine but that is no longer an option since the access to the firewall is restricted.
I tried to access it via some firewalls at our server parks and found one that worked. Now … how can I be able to browse the internal dev machine at work (at port 80) from home, via a firewall at an external server park, via a port on a firewall at work that only forwards to 22 on the development machine?
Enter ssh tunneling!
I will use the following host names on the machines I need to talk to:
Development machine at work: dev
Firewall at work: fw-work (assume port 44444 forwards to dev:22)
Firewall at server park: fw-park
Now … what I want is to browse dev in my browser. First I edit my /etc/hosts file to have dev point to 127.0.0.1. The next thing I need to do is to shut down the local apache process since I want to forward all traffic on port 80 on my localhost through an ssh tunnel. Once that’s taken care of I need to
create a tunnel to fw-park using a random port:
ssh -L 2222:fw-work:44444 myusernameatwork@fw-park
Ok … so now I have a port on my machine at home (2222) that goes to port 44444 at the firewall at work (which is forwarded to dev:22) via fw-park. Once I’m connected to fw-park I can test the tunnel by doing:
ssh -p 2222 myusernameatwork@localhost
I enter my password and voila, I’m logged on to dev! So, the last step is to send all traffic on port 80 on localhost through that port so it ends up on port 80 on dev. To do that I issue the following command:
sudo ssh -p 2222 -L 80:dev:80 myusernameatwork@localhost
I need to be root to forward a port below 1024 so I prefix the command with sudo. When I’m logged in I point my browser to http://dev/ and suddenly I can browse the dev machine! Thanks to Mats for helping me out with this one!