I have to to ssh connections (connected via ssh to two seperate servers) bind with option -D to port 1080 and 1081 on localhost. Now I want to make a chain so that the traffic first routes to port 1080 than to 1081 and then open on a new port to access it chain! What command must I make?
1
- Can you edit the question to clarify what "make a chain" means? The question mentions localhost which implies only a single host is involved. Other questions which mention a "chain", such as Port forwarding between 3 machines, involve multiple hosts.Chester Gillon– Chester Gillon2025-09-12 15:46:30 +00:00Commented Sep 12 at 15:46
Add a comment |
1 Answer
so that the traffic first routes to port 1080 than to 1081
Doesn't make sense. That port 1081 is on your local system. But the whole point of sending traffic to port 1080 is to forward it to a remote system (server A) instead of handling it locally. And there's no port 1081 on server A.
The way you describe – with both ports on the local system – it would have to be routed back from server A to your local system before it could go through port 1081... and that would be no different from just routing through port 1081 in the first place, since you're making the SSH connection directly to server B anyway, and server A doesn't contribute anything.
Instead, if you really want to form a chain, then the connection to server B needs to be initiated from server A, with the second -D port listening on server A's "localhost", not your local machine's.
There are two different ways to achieve it:
The first method still runs both ssh clients locally, but proxies the whole SSH connection to server B through server A. This is convenient if your version of OpenSSH has the
-Joption, but the longer you make the chain, the more nested tunnel overhead it creates.There's only one step:
ssh -J server_a -D 1080 server_b
If you want to go through three systems, it's still one step, just repeat the
-J some_serveras needed:ssh -J server_a -J server_b -D 1080 server_c
The equivalent parameter for ~/.ssh/config is
ProxyJump.The same method without the
-Joption, this would involve either using-o ProxyCommand=or maybe manually set up-Lchains: first to server A using-L 1022:serverB:22, then to localhost:1022 using-D 1080.Variant B of the first method:
- On the local system,
ssh -o ProxyCommand="ssh -W %h:%p server_A" -D 1080 server_B
To extend this to 3 or more servers, it would be easiest to define the ProxyCommand through
~/.ssh/configas the full command would get messy.Variant C of the first method:
- On the local system,
ssh -L 5022:server_B:22 server_A
- On the local system,
ssh -p 5022 -D 1080 localhost
To extend this to 3 or more servers, repeat a similar
-Linstead of the-D. That is, the connection to server A creates a-Llistener towards server B; the connection to server B (at localhost) creates another-Llistener towards server C; and finally the connection to server C creates a-Dlistener.- On the local system,
The second method doesn't cause as much overhead (since it chains tunnels rather than nesting them), but it requires planning backwards: first the connection from server A to server B (which creates a
-D 1080SOCKS listener on server A), then the connection from local system to server A (which doesn't create a new SOCKS listener, instead it uses-Lto forward a local port 'raw' to the remote SOCKS port).- From local machine,
ssh -L 1080:localhost:5080to server A. - From server A,
ssh -D 5080to server B.
To extend this to 3 or more servers, basically repeat the same
ssh -L ...every time (just chaining the ports from A to B, from B to C).- From local machine,
ssh -L 1080:localhost:5080to server A. - From server A,
ssh -L 5080:localhost:5080to server B. - From server B,
ssh -D 5080to server C.
- From local machine,
- Thank you very much! I use the -J option!JörgBanda– JörgBanda2025-09-12 16:47:19 +00:00Commented Sep 12 at 16:47