Setting up an SSH tunnel

Establishing a tunnel between two machines/networks is embarrassingly simple. If you know a little about IP networking, all you should need to do is look at these examples. Its a shame a longer example is not on the man page.

Say, for example, I have a telnet server behind a corporate firewall, that I want to access from home. Luckily, the company has an SSH server behind their firewall. I can bounce traffic to my little unpublished telnet server off of the corporate SSH server, workDMZhost.

On machine homeDMZhost on my home network, I type:

   ssh -g -L 10023:workTelnetHost:23 workDMZhost

Authentication proceeds as usual. The -g allows remote hosts to use the tunnel. Default behavior is to tunnel only on the loopback device. The -L 10023:workTelnetHost:23 listens at port 10023 on homeDMZhost, and forwards traffic on this port to workTelnetHost:23 on the office network.

In my case I can just use the usual user/password authentication. You can set up trusted hosts with public key signatures. I haven't figured that out yet.... and its not even necessary if you just need a quick tunnel for a one-time job.

Now you should have a shell running on workDMZhost. Very nice. You don't need to do anything with it. Just log out, and the tunnel will be closed with the shell.

On any machine on my home network, I can now type:

     telnet homeDMZhost 10023

And I will get a secure telnet session to workTelnetHost. This works even when BOTH are non-routable private networks, behind NAT firewalls. Host lookup for workTelnetHost occurs on workDMZhost. This is good, since in my case, workTelnetHost is not a recognized machine name on my home network.
More useful applications:

I have had problems where I could never get the well-used FlexLM license manager, by Globetrotter software, to work over NAT. It will work over a firewall with a hole for it's port (or so globetrotter claims), but I couldn't get it to work over NAT.

The following degails my sucessfull setup at using FlexLM over a firewall. A kind reader of this page went a bit ferther. He got it to work without a local license file, setting environment LM_LICENSE_FILE 1800@FlexLMserver to look at a tunnel port to get info from the server. You should be able to run the tunnel from your localhost to the sshd server. Forward the port from the sshd server to the FlexLM server. (In my case, these are different machines, but FlexLM is happy to give a license to a request from the trusted sshd server)

This is a much simpler, and more elegant solution. As soon as I get the chance, I will try to implement it myself and report the results.

Until then, you can try to do this yourself.

And now, back to our old, stale, outdated discussion of my FlexLM problem...

The license.dat file seems to use the FlexLM server's hostname and ethernet address. It MIGHT work if one were to alias the FlexLM server's hostname to the remote NAT server. Have the remote NAT server forward the FlexLM ports to the REAL FlexLM server. However, I haven't been able to test that yet, and I DID get the SSH tunnel to work. I can implement the SSH tunnel without having the sys-admin alter the router and servers for me.

I aliased one of my home machines to the same name as the "real" FlexLM server at work. (It might work with aliasing the loopback IP:, but I haven't tested that yet.) My FlexLM client's /etc/hosts file now has a line that looks like snoopy FlexLMserver

On machine snoopy I run the command:

    ssh -g -L 1800:FlexLMserver:1800 -L 1801:FlexLMserver:1801 workDMZhost
This makes snoopy a proxy for the machine FlexLMserver at work. Now snoopy tunnels packets at ports 1800 and 1801 to workDMZhost, which then forwards them to the real FlexLMserver.

My license.dat file has entries like:

SERVER FlexLMserver 00123456789a 1800
DAEMON idl_lmgrd /usr/local/rsi/idl_5.4/bin port=1801
Initial license requests go to port 1800, and the daemon for the licensed IDL application is hard-coded to listen at 1801. This is less secure than having the IDL daemon listen at a random port, but then its harder (if even possible) to have the firewall allow the connection.

Now my snoopy machine will forward requests for FlexLM licenses over to our corporate network's real FlexLM server, and we start getting what we paid for in a floating network license.

I'm very disappointed that the software vendor, RSI will not let me talk to an engineer who might actually understand my problem. I'm less mad at globetrotter for not talking to me. RSI is their customer, not me.

Aaron Birenboim
Last modified: Wed Nov 23 08:12:17 MST 2005