Thursday, February 10, 2011

Howto use SSH local and remote port forwarding

SkyHi @ Thursday, February 10, 2011
Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.

There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively.
Local port forwarding forwards traffic coming to a local port to a specified remote port. For example, all traffic coming to port 1234 on the client could be forwarded to port 23 on the server (host).
Note: The value of localhost is resolved after the Secure Shell connection has been established – so when defining local forwarding (outgoing tunnels), localhost refers to the server (remote host computer) you have connected to.
Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port. For example, all traffic coming to port 1234 on the server (host) could be forwarded to port 23 on the client (localhost).
Local port forwarding
Accessing a service (in this example SSH port tcp/22, but it could be anything like a web server on tcp/80) on a machine at work ( from your machine at home (, simply by connecting to the server at work :
$ ssh -L 10000:
We see the service is available on the loopback interface only, listening on port tcp/10000 :
$ netstat -tunelp | grep 10000
tcp 0 0* LISTEN 1000 71679 12468/ssh
From your home machine, you should be able to connect to the machine at work :
$ ssh root@localhost -p 10000
Local port forward for anyone at home !
If you want other people on your home subnet to be able to reach the machine at work by SSH, add the option -g :
$ ssh -L 10000: -g
We now see the service is available on all interfaces on your home computer, available for anyone to connect to on the local subnet :
$ netstat -tunelp | grep 10000

tcp 0 0* LISTEN 1000 72265 12543/ssh
Anyone on your local subnet should be able to connect to the machine at work by doing this :
$ ssh root@ -p 10000
Remote port forwarding
Giving access to a service (SSH port tcp/22) on your home machine ( to people at work
$ ssh -R 10000:
We see on our server at work (on the loopback interface on port tcp/10000) that we have access to our SSH server at home :$ netstat -tunelp | grep 10000

tcp 0 0* LISTEN 0 73719534 3809/1
People logged in on the machine now should be able to SSH into your home machine by doing :$ ssh user@localhost -p 10000
Remote port forwarding for anyone at work !
If you want everybody on the subnet at work to be able to SSH into your home machine, there’s no -g option for remote forward, so you need to change the SSH configuration of, add to sshd_config :
GatewayPorts yes
Connect just as before :
home$ ssh -R 10000:
Now, it’s listening on all interfaces on the server at work :$ netstat -tunelp | grep 10000

tcp 0 0* LISTEN 0 73721060 4426/1
Anyone at work can now connect to your home machine by SSH via the server :$ ssh -p 10000
- You would need to log in as root if you want services to listen on a port < 1024.
- Don’t forget to open necessary ports on any firewall either at home or work.
- Unfortunately you can only forward services running on TCP, but there’s a way to forward UDP through SSH using netcat


Reverse ssh port forwarding

SkyHi @ Thursday, February 10, 2011
Bypassing corporate firewall with reverse ssh port forwarding
Probably lots of you are behind some sort of very restrictive corporate firewall. Unable to access your office pc from home because of firewall policies. In normal cases this scenario is more than welcomed. No outsiders should be allowed to access internal parts of secure network! Ideally companies will setup secure VPN access thus allowing its employees to access their work computers and do some work remotely. What if you aren’t one of the lucky ones having such option? You desperately need to access your office pc?

The problem


As shown on the picture above, we have our office PC behind very restrictive corporate firewall connected to Internet. Firewall will not allow any traffic originating from Internet to internal network except previously initiated traffic. Meaning you can contact remote hosts on Internet from your office PC and they can respond, but remote computers can’t initiate connection to your office PC. This is of course huge problem if you have to access your work materials on office PC from your home. Additionally corporate firewall will only allow certain traffic from your office PC to remote hosts. Meaning you can only establish FTP, SSH, HTTP, POP3… communications, all other ports are blocked.
So how can you access your office PC? One way is to setup corporate VPN access allowing secure connections to internal network. Another method is to setup a port forwarding on corporate firewall so it redirects certain ports to your office PC. But if you don’t have the means to accomplish any of this then the only way to do it is to use ssh tunnels and reverse port forwarding.

The solution

So if we can only contact remote hosts on certain ports, the solution would be to contact remote hosts via allowed port and piggyback the connection on already established link.
Something like shown on the picture above. Fortunately we can do this with ssh, all we need to do is met some requirements.
// //

Real life example

I will assume that home PC is connected via dynamically assigned IP address. First thing you will need to make sure you have ssh server installed on your home PC and it should be accessible from Internet. If you have some NAT routers, be sure to forward port 22 to your home PC. Secondly you will need to setup a dyndns account so you can connect to your home PC regardless of IP address changes. Now the goal will be to connect to ssh server on our office PC. so the port in question will be 22 if you wish to forward another port change it in your configuration accordingly.
For the purpose of this example i will name my home PC: office computer name will be
bwork computer uses private IP range of with address
So if the firewall is preventing outside connections to our bwork computer we must initiate connection from it.
We can do this with simple ssh command:

council# ssh -R 2210:localhost:22
So what just happened here?
We are initiating ssh connection “ssh” with reverse port forwarding option “-R” which will then open listening port “2210:” who is going to be forwarded back to localhost’s port “:22″ and all this will happen on remote computer “”.
This connection represents the green line in the diagram above, and it’s a legit connection as far as corporate firewall is concerned.
So if we now open up a terminal on bhome computer, and type in:
ninja#ssh -p 2210 user@localhost
we will try to connect to localhost ( on port 2210. Since that port is setuped by remote ssh connection it will tunnel the request back via that link to the computer. This is the red line on the diagram above. Looking from firewall’s perspective it’s a legit traffic, since it is responding traffic on already initiated link from bwork computer.

Real life example 2

What if your home computer is not always on-line? Or perhaps you wish to access your office computer from multiple locations? For this you will have to have some dedicated server or VPS outside the corporate firewall.
reverese-ssh2So to accomplish this we will use the same command as previously, only this time we will open up a reverse ssh tunnel to remote server or VPS.
For the purpose of this example we will name the server with IP
ssh -R 2210:localhost:22
again this will open up reverse ssh tunnel to the machine ( So when we login to the server and issue the command:
ssh -p 2210 localhost
we will end up with bwork computer’s ssh login prompt.

Can I use this previously established reverse ssh tunnel to the server to directly connect to my office computer?

// //

Of course, but some slight modifications are required.
By default ssh tunnels only bind to local address, and can be accessible only locally. Meaning, in the example above, you can’t just type:
ssh -p 2210
on your home PC and be connected to your office PC
If you run:
netstat -ntl
on bserver you will see that the port 2210 is only listening on IP address. To get it listen on interface connected to Internet we must enable GatewayPorts option in ssh server’s configuration.
By default GatewayPorts are disabled in sshd, we can simply enable them:
nano /etc/ssh/sshd_config
then add:
GatewayPorts clientspecified
save the file and restart sshd:
/etc/init.d/ssh restart
we could have just enable GatewayPorts by typing On instead of clientspecified, that would route any ssh tunnel to network interface. This way we can control which tunnel will be accessible from outside, and on which interface.
So if we initiate reverse ssh tunnel like this:
ssh -R
we will have bserver listening on port 2210 on network interface bound to ip and forwarding all traffic via established tunnel to bwork computer. If you omit the address from the command above server will again listen on port 2210 only on local loopback interface. If you have multiple network interfaces on server be sure to select the one you can connect to.
reverese-ssh3So now when we run:
ssh -p 2210
from our home PC we will initiate ssh connection on port 2210 towards server (blue line). Server will then forward that traffic to office PC (red line) via the previously established reverse ssh tunnel (gren line). Of course you will have to open up port 2210 on server’s firewall to be able to connect.
// //

Some more fun with reverse tunnels.

But i have a printer behind that corporate firewall. How can i connect to it? Easy… remember the first example? the command ssh -R is taking 5 arguments of which 4 are mandatory
ssh -R [bind_address:]port:host:hostport
bind_address is the network address on which port will be listening, and forwarded to host (connected to network from which reverse tunnel originated) on hostport.
so if we issue the command like this on our bwork pc:
ssh -R
we will get something like this:
reverese-ssh4so again we have previously established reverse ssh tunnel listening on port 2210 to channel the ssh connection towards office PC. Now with this new command we established the reverse ssh tunnel (yellow line) towards bserver which will listen for incoming connections on port 2211. When the home pc makes a data connection to port 2211 on bserver (brown line) it is then forwarded to office PC (black line) which is then redirected towards office printer at address on port 631 (violet line). Remember, all this traffic is passing trough corporate firewall as legit traffic, even if the illustration perhaps shows otherwise.

Automating the task

So by now we should have covered the basics on how to bypass corporate firewall in order to get to your office computer and network equipment. Now ssh -R isn’t really practical, it consumes one terminal, and as soon as it shuts down there is no tunnel and no outside connectivity for that matter. The easiest thing to do is putting a cron job that will connect to remote server if the connection fails, office computer reboots etc.
First of all generate ssh keys, and add them to ssh-agent so that script won’t ask you for remote server’s password all the time.
Next we will add two extra parameters to our command -N and -f so that the connection goes into the background.
the command will look like:
ssh -N -f -R [bind_address:]port:host:hostport
next we need a shell script that will be triggered by the cron. For this example we will use the Real life example 2.
COMMAND="ssh -N -f -R"
pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND
now edit this code so it suits your needs, and save it in your home dir as
Now we need to add a crontab entry which will trigger this script every 5 minutes.
crontab -e
and add:
*/5 * * * * /bin/sh /home/username/
If you are connecting to different user name on remote server you can edit your commands so they look like:
ssh -R [bind_address]:port:host:host_port username@remote_host


Wednesday, February 9, 2011

A Home Fileserver using ZFS

SkyHi @ Wednesday, February 09, 2011

For many people who use a computer, knowing where to store growing amounts of data can become tricky.

You start off with one disk, run out of space, buy a bigger one etc. And if you have a camcorder you’ll be generating gigabytes of data for every Mini DV tape you record. Also, you may have a digital video recorder attached to your TV and wish to permanently keep some of the programmes/films you’ve recorded. Now you’re talking hundreds of gigabytes, if not terabytes of storage that are required to handle all this data.

And then there’s the problem of backups… oh boy, this will be a fun project :)

Here’s a series of articles that tackle this tricky subject, where I describe the choices I made, the problems encountered and the solutions found during my quest to build my own ZFS home fileserver, or ZFS home NAS box (network attached storage).

  1. Home Fileserver: What do I need?
  2. Home Fileserver: Existing products
  3. Home Fileserver: I’ll use ZFS
  4. Home Fileserver: ZFS hardware
  5. Home Fileserver: ZFS setup
  6. Home Fileserver: Backups
  7. Home Fileserver: Suspend
  8. Home Fileserver: Trunking
  9. Home Fileserver: ZFS snapshots
  10. Home Fileserver: Backups from ZFS snapshots
  11. Home Fileserver: Drive temps
  12. Home Fileserver: RAIDZ expansion
  13. Home Fileserver: Active Directory Integration
  14. Home Fileserver: A Year in ZFS
  15. Home Fileserver: ZFS File Systems
  16. Home Fileserver: OpenSolaris 2009.06
  17. Home Fileserver: Media Center
  18. Home Fileserver: Mirrored SSD ZFS root boot
  19. Home Fileserver: ZFS boot pool recovery
  20. Home Fileserver: Handling pool errors


Tuesday, February 8, 2011

Linux disable screen blanking i.e. preventing screen going blank

SkyHi @ Tuesday, February 08, 2011
It is easy to disable screen saver under X window. But when it comes to text based login or terminal you will not find easy way to disable text based power saving mode (i.e. when your screen goes blank after a few minutes).
So how do I disable the blank screen mode, which activated after a few minutes? Answer is use setterm command.
setterm writes to standard output a character string that will invoke the specified terminal capabilities. Where possible terminfo database (terminfo is a data base describing terminals, used by screen-oriented programs and libraries such as ncurses) is consulted to find the string to use.
By default, the Linux kernel will use screen-save option to disable it you need to type command (it turns off monitor VESA powersaving features):
$ setterm -powersave off -blank 0
If it dumps back you with an error that read as follows:

cannot (un)set powersave mode

You need to shutdown X window system and rerun the above command. Better, add following two commands to your ~/.xinitrc file:
setterm -blank 0 -powersave off -powerdown 0
xset s off


Other useful options

This command also supports other useful options:
Resets the terminal to its power on state:
$ setterm -reset
Alternatively, initialize terminal:
$ setterm -initialize
Turns the terminal's cursor on or off:
$ setterm -cursor [on|off]
Turns automatic line-wrapping on or off (virtual consoles only)
$ setterm -linewrap [on|off]
Sets the foreground text color (virtual consoles only):
$ setterm -foreground blue
Sets the background text color (virtual consoles only):
$ setterm -background red
Enables or disables the sending of kernel printk() messages to the console (virtual consoles only). Useful if you get lots message from iptables firewall:
$ setterm -msg [on|off]
I regularly use these (above) options.

See also:

  • Please consult the setterm and terminfo man pages for more information.

This happens when you run xgl on an ATI graphics card. To fix it, you can do this:
gksudo gedit /etc/X11/xorg.conf
Add this section to the file and save it:
Section "ServerFlags"
    Option        "blank time" "0"
    Option        "standby time" "0"
    Option        "suspend time" "0"
    Option        "off time" "0"
If you already have a section called "ServerFlags", just add the four "Option" lines before the "EndSection" line.
Restart the xserver (ctrl-alt-backspace) and the new settings should take effect.