Configuring SSH Tunnels in Oracle Linux

1
0
Send lab feedback

Configuring SSH Tunnels in Oracle Linux

Introduction

This tutorial provides step by step procedures to configure SSH tunnels for network traffic. SSH tunnels or SSH forwarding encapsulates specific TCP traffic and enables it to traverse the network through an SSH connection. This tutorial is targeted at users of Oracle Linux 8 or later.

Objectives

This tutorial teaches you how to configure the following types of SSH tunneling:

  • Dynamic port forwarding
  • Local port forwarding

What Do You Need?

  • A remote SSH system with the some configured services, such as web services, VNC services, Cockpit, etc to be used by remote clients.
  • A client system with appropriate software installed, such as a desktop viewer to use VNC services.

Configuring SSH Tunneling

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

Configuring SSH dynamic port forwarding

Dynamic port forwarding enables communications across a range of ports by making SSH act as a SOCKS proxy server.

Note: Unless instructed otherwise, you must run all the commands in this section from your SSH client desktop.

  1. If you are currently connected to ol-server in a terminal window, type exit to disconnect from the instance.

    Alternatively, open a new tab for a separate terminal window.

  2. Open an ssh connection to ol-server while using the -D option and specifying a port number to use locally.

    The -D option indicates that the connection uses dynamic port forwarding.

       ssh -D 8080 oracle@<ip_address>

    You can use optional arguments in the command syntax, such as the following:

    • -N prevents the execution of remote commands.
    • -f indicates that the connection is forked into the background.
    • sleep <n> specifies a waiting period in seconds that the tunnel waits for a connection before the tunnel closes.
  3. Use the service at http://ifconfig.me to obtain the local host's IP address.

       curl -w '\n' ifconfig.me

    Note that the IP address provided for your SSH client desktop does not match the IP address for ol-server.

  4. Type the curl command but specify the --socks5 option.

    The option specifies for curl to use a SOCKS proxy on the localhost at port 8080, which you specified when you previously created the ssh connection.

       curl -w '\n' --socks5 localhost:8080 ifconfig.me

    Note that this time, the displayed address is the public IP address of ol-server.

By using the dynamic port forwarding service, you can redirect or forward TCP traffic from one system to another over a secure connection. This service functions as a rudimentary VPN. Thus, you can configure a local web browser to use the SOCKS proxy for forwarded browsing. Or, as an alternative, you can configure SOCKS proxy settings by defining a variable as follows, and then retest with the curl command.

   export {http,https,ftp}_proxy="socks5://localhost:8080"
   curl -w '\n' ifconfig.me

Other mechanisms can be used to force all TCP traffic through your SSH connection. However, these are beyond the scope of this tutorial. In addition, alternative methods might be preferable than using SSH tunnels for this purpose.

Configuring SSH local port forwarding

Local port forwarding over SSH maps a local port on the client system to a remote port on the server system. This configuration enables you to access services on the remote system that are otherwise inaccessible because the services might be running behind a firewall or might not be listening on a public network interface.

Cockpit is a good example of such a service. Typically, if you want to run the Cockpit web console for a system that is connected to the Internet, the service would be exposed on a public facing network, which is not advisable.

For this demonstration, the ol-server is configured for security as follows:

  • The instance is preconfigured to run the Cockpit service.
  • The instance is running a firewall service.
  • The Cockpit port is not open.

Note: Unless instructed otherwise, all the commands must be typed from your SSH client desktop.

  1. If you are currently connected to the ol-server in a terminal window, type exit to disconnect from the instance.

    Alternatively, open a new tab for a separate terminal window.

  2. Verify the inaccessibility of the Cockpit service.

    On a browser, open the Cockpit web console to ol-server through its IP address. Note that the connection does not succeed.

    http://<ip_address>:9090/

    The connection does not succeed.

  3. On the terminal window, open an SSH connection to ol-server by using local port forwarding.

    The -L option maps a port on the local host to a port on the server.

       ssh -L 9090:localhost:9090 oracle@<ip_address>

    You can use optional arguments in the command syntax, such as the following:

    • -N prevents the execution of remote commands.
    • -f indicates that the connection is forked into the background.
    • sleep specifies a waiting period in seconds that the tunnel waits for a connection before the tunnel closes.
  4. Return to your browser and change the URL to access ol-server's Cockpit service as if you were accessing it locally.

    http://localhost:9090/

    This time, the Cockpit login screen appears for the ol-server instance.

  5. Log in by using oracle as the user name and password.

    The ol-server's Overview page is displayed.

By using the Cockpit web console, you can remotely manage the instance even though the service itself is not exposed on any public facing network.

Video Demonstration

The video tutorial Using SSH Tunnels With Oracle Linux 8 gives more examples for configuring different types of SSH tunnels. Note that while the lab exercises demonstrated SSH tunneling by using the Cockpit service, this video uses VNC and web services for its examples. All of them together show how, through SSH port forwarding, you can access and avail of a remote system's services.

SSR