By default, an SSH tunnel only listens on the localhost, typically the loopback IP address 127.0.0.1. This configuration restricts the tunnel to local access, preventing other hosts from connecting. To allow public access, the tunnel must be set to listen on an external IP address, making it reachable from other systems.
Allowing public access requires specifying the desired IP address when creating the tunnel. This change ensures that the tunnel can accept connections from remote hosts. Additionally, you need to configure the firewall to permit incoming connections on the specified port.
Configuring an SSH tunnel for public access involves setting the correct listening IP and adjusting the firewall. These steps enable secure access to the tunnel from external locations, expanding the utility of SSH in network management.
Steps to enable public access to SSH tunnel:
- Identify the external IP address of your host.
$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:08:63:73 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.111.27/24 brd 192.168.111.255 scope global dynamic noprefixroute ens33 valid_lft 66553sec preferred_lft 66553sec inet6 fe80::fc5d:1d5c:ae0e:68f1/64 scope link noprefixroute valid_lft forever preferred_lft forever
- Create an SSH tunnel that listens on this external IP address.
$ ssh -fN -D 192.168.111.27:8080 192.168.111.29 user@192.168.111.29's password:
Related: How to create an SSH SOCKS proxy
- Verify that the tunnel is active and listening on the specified IP.
$ ss -natp | grep 8080 LISTEN 0 128 192.168.111.27:8080 0.0.0.0:* users:(("ssh",pid=2966,fd=4))
- Configure the firewall to allow incoming connections to the tunnel port if firewall is enabled.
$ sudo ufw allow 8080 # Ubuntu and Debian variance $ sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp && sudo firewall-cmd --reload # CentOS and Red Hat variance
- Test access to the tunnel from a remote host to confirm connectivity.
$ curl --proxy socks5://192.168.111.27:8080 https://ifconfig.me 115.131.92.137
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.