Tunnelling through firewalls with SSH

In this tutorial we show how to setup an ssh connection in order to access computers and services behind a firewall.

The topology of the network is as depicted below:

Network schematics for ssh tunnelling through a firewall.
Network schematics for ssh tunnelling through a firewall.

We have a computer (with IP connected to a router, which in turn is connected to the internet. What we want to do is to have access to the desktop (with IP and all the other servers (web, samba and mail). The problem with this network is that the firewall allows only ssh connections over port 22 to the ssh server (with IP Therefore, in order to reach any of the other computers behind the firewall, we need to go through the ssh server.

What I will show here is how to setup an ssh tunnelling connection that allows to connect to these machines.

This tutorial is based on the tutorial by Mike Chirico that can be found here.


We want to be able to ssh to the desktop machine (with IP, connect to the web server (with IP, access the samba server (with IP and use the mail server (with IP In order to do that we need to tunnel through the ssh server (the only machine we can access directly).

To tunnel traffic through the SSH Server from the *nix laptop to the different machines behind the firewall, create the following ~/.ssh/config file, on the *nix laptop:

Host mytunnel
         ForwardX11 yes
         User your_username_at_131.180.123.195
         LocalForward 22022
         LocalForward 22139
         LocalForward 22080
         LocalForward 22110 

Host mytunnel_ssh
HostName localhost
        ForwardX11 yes
        User your_username_at_131.180.123.193
        Port 22022
        HostKeyAlias athens

We have just configured two ssh connections: mytunnel and mytunnel_ssh. The first one is the essential one and the second one is just to simplify the ssh connection to the desktop.

The first thing done there is to specify the ip of the ssh server (Hostname) and the username (User) to use to connect to it. After that, there are four lines starting with LocalForward. What each of these lines does is to redirect any data sent to a port in the laptop to another port in another computer. For example the first line:

LocalForward 22022

states that all data sent to port 22022 of the laptop will be sent (over the ssh connection to the ssh server) to port 22 of the machine with IP This means that whenever the ssh connection mytunnel is open, sending data to port 22022 on the laptop is “the same” as sending data to port 22 of the machine with IP The same for the samba, web and mail servers, but on ports 22139, 22080 and 22110, respectively.

To open this tunnelling connection we simply need to insert in the terminal the following line:

To make an ssh connection to the desktop with IP there are two options. The longest one is to open the previous tunnelling connection:

ssh mytunnel

and then in a new terminal window open the ssh connection to the desktop:

ssh mytunnel_ssh

A simpler and shorter way is to add the following line to your .bash_profile or .bashrc file:

alias desktop_ssh='ssh -N -f -q mytunnel;ssh mytunnel_ssh'

Now to connect to the desktop you just need to type in our terminal: