Eventually you'll have to access a server or service that resides on a out-of-reach network, but you'll have a intermediate server that has access to that network (e.g: a jump box).
Your client machine (client.local) → Tunnel to Intermediate SSH server (jumpbox.intermediate) → Tunnel to final destination (finalsrv.protected)
Follow these steps to accomplish this:
1) Connect via SSH to your 1st hop (in our case jumpbox.intermediate), but before you do, set up the local tunnel:
- open putty
- Expand Connection → SSH and click in Tunnels
- Enter Source port: The port you'll use on your browser or appplication. E.g: 10000
- Enter Destination: localhost and the port you'll create the second tunnel, in our case 9998.
- Click back to session and enter the IP/Name of the server you'll connect, in our case jumpbox.intermediate and click in OPEN.
2) When connected, you'll need to create the second tunnel (jumpbox → finalsrv). run:
ssh -f geraldo@finalsrv.protected -L 9998:localhost:1234 -N
In this example, the final port the application we're trying to access is 1234.
If you get this error:
bind: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 9998
Could not request local forwarding.
Here are some troubleshooting steps:
The fisrt command will figure out which PID is ocupping that port and then you can take action, if needed.
[user@localhost ~]$ lsof -ti:9998 5176 [user@localhost ~]$ ps -aux | grep 5176 5176 ? Ss 0:00 ssh -f user@finalsrv.protected -L 9998:localhost:1234 -N [user@localhost ~]$ kill -9 5176
If you get no error message just interact with the service throught the address localhost:10000.
You can have as many hops as you need, as long as those ports are allowed you can keep forwarding your way though.
You also don't need to have diferent port numbers for each hop. Let's say you need port 8080 and this port is allowed from your client PC to intermediate and from intermediate to final, you can use 8080 in all steps and interact with the service using localhost:8080.