Reputation: 64
How to Create Multi ssh Tunneling on AWS?
I have a running instance on host2 on port p2. I want to access through localhost:p2.
I can ssh to host1 with h1.pem and from host1 i can ssh to host2 with h2.pem.
Upvotes: 0
Views: 665
Answers (1)
Reputation: 179084
I believe you are describing a situation where you have access from localhost (host h0) to host h1 (IP address a.a.a.a), and host h1 has access to host h2 (IP address b.b.b.b), but h0 does not have connectivity to host h2.
You want to connect from h0 to h2 via h1, and establish a TCP tunnel from a port on h0 to a destination port on h2.
I will teach you how to catch this fish, rather than just catching one for you.
First, assuming for a moment that you did have direct access from h0 to h2, how would you make an SSH connection?
You would connect like this:
ssh -i h2.pem [email protected]
...and you could establish a tunnel like this...
ssh -i h2.pem [email protected] -L 31337:127.0.0.1:3306
This would accept connections on h0 port 31337 and connect it to h2's loopback adapter 127.0.0.1 on port 3306.
I believe is what you want.
But, you don't have direct access to h2, so you need to proxy the SSH connection via h1.
From h0, we can connect to h1 like this:
ssh -i h1.pem [email protected]
So we take that info, and tell SSH that we want to use it to create a ProxyConnection to h1, where we'll run the nc command, which establishes a remote connection and ties its payload back to stdin and stdout. SSH will pass the hostname and SSH port of h2 to nc running on h1, which will pass back to us on the SSH connection to h1, which we will use to speak SSH to h2. We pass this as ProxyCommand to our ssh attempt from h0 to h2.
'-o ProxyCommand=ssh -i h1.pem [email protected] nc %h %p'
Putting it all together (line breaks for clarity):
ssh '-o ProxyCommand=ssh -i h1.pem [email protected] nc %h %p' \
-i h2.pem \
[email protected] \
-L 31337:127.0.0.1:3306
And there you have it.
Under the hood, h0 makes an ssh connection to h1, where it runs nc b.b.b.b 22. SSH on h0 uses these streams to create a second ssh session to h2 via the connection it already has to h1. The tunnel is negotiated directly with h2 over this connection.
Note that in this scenario, both of the keys h1.pem and h2.pem are on your local machine. The h2.pem key does not need to be present on h1 at all.
Note also that this has nothing to do with AWS. It's just standard SSH usage.
You can add the -N option to the end of the command if you just want to allow the tunnels but you don't want or need to start a shell on h2.
Or if you want a spiffy little monitor showing that your tunnel is still up, you can add this to the very end of the complete ssh command shown above. Be sure to include all of the ' exactly as shown.
'perl -MPOSIX -e '\''$|=1; while(sleep(1)){ print "\e[0GConnected " . POSIX::strftime("%Y-%m-%d %H:%M:%S",gmtime)}'\'''
This will show a continuously updating message on the console of h0 "Connected YYYY-mm-dd HH:MM:SS" message confirming that your connection is still established end to end.
Upvotes: 2
Related Questions
- Reverse ssh tunnel not exposing the port on ec2
- SSH multiple HOP
- Why I can't set up an SSH tunnel? Bad local forwarding specification
- Attempting to ssh tunnel to another server within the vpc to a specific port to access my api
- AWS EC2 SSH Tunnel Bastion Server
- Can't connect to remote instance via ssh tunneling + proxying
- How to setup SSH tunneling in AWS
- How do I configure multiple ssh access to an EC2 instance
- ssh tunnel for elasticsearch
- Multiple SSH reverse port tunnels on the same remote host and port