Access Any Remote Server Port Without Modifying Firewall Settings

by on July 15, 2008 · 8 comments· LAST UPDATED July 15, 2008

in , ,

Q. I've couple of remote servers and I'd like to access few admin only application running on port 10000 and 3001. My firewall only allows port 80, 443, 25, 22 and 110 for public access. Do I need to open port 10000 and 3001 for everyone using firewall? How do I access my admin only apps without opening port 10000 and 3001?

A. SSH has feature called port forwarding (also known as tunneling). It allows the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.

The following example tunnels port 3001 session from client machine 127.0.0.1 (localhost) to remote server called "server.nixcraft.in"
$ ssh -f -L {local-port}:localhost:{remote-server-port} user@remote.server.com
$ ssh -f -L 3001:localhost:3001 user@server.nixcraft.in

The connection is forwarded to port 3001 on the remote server. If 3001 is web based app, open a web browser and type the url http://localhost:3001/

Another example to forward to port 10000, enter:
$ ssh -N -f -L 10000:localhost:10000 vivek@server.nixcraft.com

Where,

  • -f : Requests ssh to go to background just before command execution
  • -L : Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
  • -N : Do not execute a remote command. This is useful for just forwarding ports

You can also create a script as follows (open.3001):
$ vi ~/open.3001
Append following code:

#!/bin/bash
ME="$(basename $0)"
SSHUSER=vivek
SERVER=remote.example.com
[ $ME == "open.3001" ] && ssh -N -f -L 3001:localhost:3001  ${SSHUSER}@${SERVER} || :
[ $ME == "open.10000" ] && ssh -N -f -L 10000:localhost:10000  ${SSHUSER}@${SERVER} || :
[ $ME == "open.3000" ] && ssh -N -f -L 3000:localhost:3000  ${SSHUSER}@${SERVER} || :

Set permissions, enter:
$ chmod +x ~/open.3001
Create soft-link, enter:
$ ln -s ~/open.3001 ~/open.10000
$ ln -s ~/open.3001 ~/open.3000

Now you can simply type the following to forward port 10000, enter:
$ ~/open.10000
OR
$ ~/open.3000

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 8 comments… read them below or add one }

1 Liju Mathew July 15, 2008 at 3:11 pm

Hi,
Greetings.
U r using ssh tunneling for the purpose and it is very secured. It is quite slow if u r using any web application ruunig through ssh tunnel.

If you have a Apache web server which is opened to outside, you can use proxy pass module to access your admin control panel which can be accessible locally from u r network. Also we can able to put IP restriction to it’s access in Apache. All those control panel should be protected by https. A sample entry is listred below,

ServerName adminaccess.mydomain.com

 AuthType Basic
 AuthName "Admin Accesss details pls ..... "
 AuthUserFile /var/project/passwd
 Require valid-user
 Deny from all
 Allow from 123.123.123.2
ProxyPass / http://prod.secured.local:10000/
ProxyPassReverse / http://prod.secured.local:10000/
ProxyPreserveHost on

Reply

2 nixCraft July 15, 2008 at 6:23 pm

Liju,

Thanks for sharing Apache solution.

Reply

3 yahoon July 16, 2008 at 4:29 am

I don’t think this chapter answer the question

the original question is that:
we want to access the 3001 on the server,but the firewall doesn’t open it.

according to this article.we just can do that access localhost:3001 forwarding to server:80,but not the server:3001 which is what we need.

in fact.we can’t access the ports that are not opened on the firewall.if the firewall does not open 3001 ,we can’t access the server’s 3001 using this method.

Reply

4 nixCraft July 17, 2008 at 9:59 am

yahoon,

Why not? I don’t see any problem. I use this techniques all the time.

Reply

5 yahoon July 18, 2008 at 3:00 am

you can access a port that is not opened on the firewall??

Reply

6 nixCraft July 18, 2008 at 6:30 am

Yes,

By setting tunnel via ssh you can access any service or port.

Reply

7 christian August 18, 2008 at 9:15 pm

Let me try to clarify:

You would set your ssh server to listen on a port you can open on your firewall (say, the standard ssh port 22). Open that port on your firewall and direct its traffic to your ssh server. Then the ssh (remote) client would connect to the ssh server on port 22, forwarding an available local port to app-servername:3001. Depending on how the app you’re using works, local port might need to be 3001 (though even if that’s not the case it might be a good idea to use that local port to make thinks clearer).

Example of what your ssh client command would look like:

ssh -L 3001:app_server_name:3001 username@sshserver.domain.com

That is:

ssh -L local_port:app_server_name:app_port username@ssh_server_hostname_or_ip_address

Good luck,
Christian

Reply

8 Justin P mathew September 24, 2012 at 12:20 pm

I have installed jira , but port 8080 is not opened by external firewall.only few ports like ssh,http is opened .I can access the jira with localhost:8080.
how to enable jira access from outside with my static IP adress of that server?

Pls help.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , ,

Previous Faq:

Next Faq: