Securing Common Port Forwarding Scenarios

Securing Common Port Forwarding Scenarios

Different port forwarding use cases require specific security considerations. Implement appropriate controls for each scenario while maintaining usability.

Database Access Through Bastion Host:

# Secure database tunnel setup
# Client configuration ~/.ssh/config

Host db-tunnel
    HostName bastion.example.com
    User dbaccess
    LocalForward 3306 database.internal:3306
    # Security restrictions
    ServerAliveInterval 60
    ServerAliveCountMax 2
    ExitOnForwardFailure yes
    # Prevent other forwarding
    ClearAllForwardings yes
    # Log connections
    LogLevel VERBOSE

# Usage with connection script
#!/bin/bash
# secure-db-connect.sh

# Start tunnel
ssh -f -N db-tunnel

# Wait for tunnel
sleep 2

# Connect with timeout
timeout 3600 mysql -h 127.0.0.1 -P 3306 -u app_user -p

# Clean up tunnel
ssh -O exit db-tunnel

Secure Web Application Access:

# SOCKS proxy for web application access
# Create authenticated SOCKS proxy

#!/bin/bash
# secure-web-proxy.sh

PROXY_PORT=8888
PROXY_HOST="proxy.example.com"
LOG_FILE="/var/log/web-proxy.log"

# Start proxy with logging
ssh -D "$PROXY_PORT" "$PROXY_HOST" -N \
    -o "LogLevel=VERBOSE" \
    -o "ExitOnForwardFailure=yes" \
    -o "ServerAliveInterval=30" \
    2>&1 | tee -a "$LOG_FILE" &

PROXY_PID=$!

# Configure browser to use proxy
echo "Configure browser to use SOCKS5 proxy: localhost:$PROXY_PORT"
echo "Proxy PID: $PROXY_PID"

# Monitor proxy usage
watch -n 5 "netstat -an | grep $PROXY_PORT | grep ESTABLISHED | wc -l"