In today’s world when the IPv4 addresses are a luxury and IPv6 is not wide deployed (yet) more and more servers are running behind NAT-ed addresses. To do remote management on these servers you connect to them using SSH through some port forwarding done on the border gateway. If you need to monitor these servers there are a few alternatives:
- more ports forwarded from the gateway
- use a vpn to connect to the remote network
- use TCP port forwarding through the SSH connection
This post will show how you can obtain more from the existing SSH connection to the remote system.
SSH’s TCP port forwarding (also known as poor man’s vpn) offers a cheap and secure alternative to full vpns. Using it you can access other hosts and services on the remote network which would be unreacheable otherways. The SSH supports two types of connection forwarding – a local connection to the remote hosts (using -L parameter) or a remote connection to the local host (using -R parameter)
The command for local forwarding looks like (you can use more parameters than the one presented below!):
ssh user@remotesystem -L localport:host:hostport
The user@remotesystem part of the command line specifies the user you wish to connect as on the remote system. The -L is activating the local forwarding: any connection to the localport (on the client system) will be forwarded to the remote host / port by the remote system. The host name (if it is a name and not an IP) is resolved by the remote system. It can be either localhost (in which case the connection is forwarded directly to the remote system), an IP address (accessible on the remote network) or a FQDN. Thus the connection can be made either directly to the ssh server or to another server onto remote network.
A word of caution, thought: if the host is a different machine than the remote system – the connection between these two is NOT secured! Only the first part of the connection from the local system to the remote system is secured through the SSH. The second part, on the remote network, is unsecured.
As a quick example lets say the remote server is running a postgresql database and you need to connect to it to do some maintenance work. A direct access is not possible as the database server is behind a firewall (or NAT) and the connections are blocked. If you have SSH access to the database server the following command will solve your problem:
ssh user@remotesysem -L 5432:localhost:5432 -f
This will open a connection to the remotesystem and will forward the requests to the local port 5432 to the remotesystem port 5432 (where runs the postgresql database). Now you can connect to the database server using localhost as hostname (it is like the database server is running on your local machine). (Please note the localhost from the ssh arguments refers to the remote server “localhost”, not the local 127.0.0.1).
As a second example, if you don’t have SSH access to the remote database server but you can access a ssh machine on the remote network (and that machine has access to the database server!) you can use:
ssh user@remotesysem -L 5432:remotedatabase:5432 -f
Instead of using the localhost (like in the previous example) we are using the database server address (remotedatabase – as IP or FQDN). The ssh server will forward any connection from the local 5432 port to the remotedatabase 5432 port. To access the database you will still use localhost as hostname (you are connection to your host):
psql -h localhost -p 5432 ....
The same approach can be used for monitoring remote servers and services with Nagios, just forward the local port 5666 to the remote port 5666 and the server will be able to connect to NRPE on the remote machine and do its job. (Actually it is a little bit more complicated than just a direct port forwarding as it involves being able to login passwordless on the remote machine – this it’s done using public key certificates and will be the subject of a future article).
Today we’ve learned that we can access remote services and servers without needing a VPN or complicated settings on routers. While the examples provided are simple you can test with various command line arguments to obtain different behaviors (try -N if you need only the port forwarding not the remote shell). We’ve used the same port number for mapping (5432 to 5432) but you can try a different local port (how about 2345 to 5432?) and it will work the same. There are many more gems in the SSH (passwordless logins, port forwarding, secure file transfer, X11 forwarding, remote command execution, remote file mounting) but they will be detailed in future articles. If you have a preference and would like to read about a specific topic please leave a comment and we’ll see for it 🙂
Finally, there’s another very important peculiarity of what does Cialis that brings it so high above its alternatives. It is the only med that is available in two versions – one intended for use on as-needed basis and one intended for daily use. As you might know, Viagra and Levitra only come in the latter of these two forms and should be consumed shortly before expected sexual activity to ensure best effect. Daily Cialis, in its turn, contains low doses of Tadalafil, which allows to build its concentration up in your system gradually over time and maintain it on acceptable levels, which, consequently, makes it possible for you to enjoy sex at any moment without having to time it.