[nSLUG] Open port on Ubuntu box

Daniel Morrison draker at gmail.com
Thu Jul 19 01:46:35 ADT 2007


On 18/07/07, sbo at eastlink.ca <sbo at eastlink.ca> wrote:

> I have been trying to connect to an Ubuntu box through a given port (let's
> take 10001  for example).  I have not been able to do so, but I can easily
> SSH into it and see what I need to see.  I assume that the firewall is not
> preventing me since I can get in through port 22.

Poor assumption, but AFAIK Ubuntu does not implement strict firewall rules
by default, so your assumption may be correct unless there's something
you're not telling us about your installation.

You haven't said that there is a service listening on port 10001, or even
what type of service isn't listening on that port.

And no one has addressed your question:

> How can I open a port
> through my SSH session (terminal session)?  What is the appropriate set of
> commands?

Open a port through your ssh session?  You must mean for listening?  If
not, then...

If you've got an sshd on the server listening on a non-standard port, say
because you've changed the 'Port' configured in /etc/ssh/sshd_config, or
launched sshd with the '-p 10001' command line option, then you can
connect to it from afar with the '-p' command line option to ssh:

   ssh -p 10001 my.server.com

and for scp (note the capital -P):

   scp -P 10001 afile user at my.server.com:

If you want your normal ssh session to listen on port 10001 (which is how
I interpret your question), then -- well, first you have to bear in mind
that ssh will listen, but only in order to forward somewhere else through
the ssh connection.  Somewhere, on some system, you need some server
process listening.

Let's say you're sitting on a gateway to a private network. Your remote
Ubuntu machine is on the public Internet, and can't reach your private
network, but you want someone to be able to connect to it on port 10001
and reach a service inside your private network. If you ssh to your ubuntu
machine from your gateway, you can add the '-R' command line to tell it
start listening on port 10001 (on the 'R'emote ubuntu machine).  Anything
connecting to that port on the remote system will get forwarded through
your ssh session, and get sent to the location you specify -- say a web
server on your private network, reachable only from the gateway you're
sitting on.

user at gateway~$ ssh -R 10001:private.web.server:80 user at remote.ubuntu.org

So now someone on remote.ubuntu.org could connect to tcp port 10001 on the
localhost, and wind up talking, through your ssh connection, to
private.web.server port 80.  From the web server's point of view, the
connection appears to originate from the gateway.

Caveat: forwarding remote ports works only for people connecting to
localhost.  If you really want to make it work for _everybody_ on the big
bad Internet, do this:

user at gateway~$ ssh -R :10001:private.web.server:80 user at remote.ubuntu.org

Or you can enable the 'GatewayPorts' option. Read the ssh(1) man page
under the '-R' option, and sshd_config(5) man page for details.

You can do the same thing in reverse (listen, and forward from a port on
the local system to a destination reachable by the remote system) by using
the '-L' (local port forward option).  This makes sense if your remote
Ubuntu system is a gateway to a private network, and you want to reach
inside that private network from where you are on the public internet.
Other than reversing the direction of travel, it works exactly the same
way.  But since you're asking about listening on a remote machine, I think
it's the '-R` you want.

Finally you imply in your question that you want to start listening after
your ssh session is already established.  No problem:

user at gateway~$ ssh user at remote.ubuntu.org
user at remote~$ ~C
ssh> -R 10001:private.web.server:80
Forwarding port.

user at remote~$ telnet localhost 10001
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


I hope this was at least interesting, even if it missed the mark answering
your question.  You might try being a bit more specific about what it is
you're trying to do...

-D.



More information about the nSLUG mailing list