SSH Tunneling

If you need information about setting up ssh and obtaining the public keys for the Panix user hosts, please see www.panix.com/help/ssh.html.

Introduction
How to set up SSH port forwarding to Panix for Web proxying
Using SSH port forwarding to send email
Connecting to MySQL through an SSH tunnel


Introduction

What is Secure Port Forwarding?
If you're interested enough to read this page, you're probably using a Secure Shell connection to Panix already. So you're at least familiar with the value of a secure, encrypted connection.
Secure Port Forwarding lets you use that SSH connection for things besides straight UNIX shell sessions: things like Web browsing, email, and FTP.
What's it used for?
Usually, (for example) a Web connection goes directly from your computer to the Web server; but with Secure Port Forwarding, you connect to the Web server through the SSH link. This accomplishes two things:
  • Security and privacy: Between you and Panix, your requests (and the Web pages) are transferred over an encrypted link. This makes it much harder for nasty people to listen in and grab your Web passwords, or spy on your browsing session.
  • Access through firewalls: If your Internet provider blocks connections to some ports on some servers, you can gain access to those ports by way of an SSH connection to Panix. Your computer will connect to Panix, and then Panix will connect to your destination. So, as long as Panix doesn't have your destination blocked, you'll be able to get there.

How to set up SSH port forwarding to Panix for Web proxying
  1. First, you need to have a working SSH connection to Panix. You also need to use an SSH client program that supports Port Forwarding. (We recommend OpenSSH for UNIX or Mac OS X, TTSSH and PuTTY for Windows, or MacSSH for Mac OS 9. We've tested all of those; you're on your own if you use something other.)
  2. Make sure your Web browser will accept a proxy server address. Modern browsers (Netscape 4 and up, IE 4 and up, Opera 4 and up all do this, so it shouldn't be a problem.)
  3. Create an SSH connection to Panix, and then open the port forwarding section of your SSH session. Set up a "local" type forwarded port, with these settings:
    Local port: 9000
    Remote server: 127.0.0.1 Remote port: 8008
    (Panix maintains Privoxy web-proxy service on port 8008 of all our userhosts. If you want "ad-blocking" too, use remote port 8118 instead.)
  4. Save your session with the new forwarded port, so you can create a "favorite" or shortcut later.
  5. Connect to Panix with your port-forwarded SSH session. Now your local port 9000 is hooked up to Privoxy on Panix, and ready to use. (The local port doesn't have to be 9000, it can be any unprivileged port that you're not using for other purposes. If you are setting up more than one proxy, you'll need a separate session, with a different port number, for each.)
  6. Open your Web browser, go to the "preferences" or "options" section, and look for the "proxies" category. Enter the following under "HTTP" and "HTTPS":
    Proxy server: 127.0.0.1 Port: 9000
    This will redirect your Web browser so it goes through the tunnel.
  7. You should be able to surf now, regardless of firewall restrictions.

Sending email through an SSH tunnel
Users of some high-speed connections may discover that even when they use Panix's SMTP server, their outbound message headers include node information that causes some spam filters to reject their email.

You can avoid including headers from elsewhere using SSH proxying to send mail directly from the userhosts. The instructions are similar to those for web proxying, above, with appropriate modification of the port.

  1. Create an ssh connection to Panix and open port forwarding. You need to set up a "local" forwarded port with these settings:
    Local port: 9000 Remote server: mail.panix.com Remote port: 25
    (Port 25 is the standard port for SMTP.)
  2. Connect to Panix with your port-forwarded SSH session. Now your local port 9000 is hooked up to the SMTP port on Panix's shell host.
    (The local port doesn't have to be 9000, it can be any unprivileged port that you're not using for other purposes. If you are setting up more than one proxy, you'll need a separate session, with a different port number, for each.)
  3. Point your mail program at 127.0.0.1 port 9000 for SMTP through the tunnel.
For details on setting up specific SSH or Web browsing software, refer to the documentation for that program.
Connecting to MySQL through an SSH tunnel

For security purposes, the Panix MySQL server only accepts connections from the Panix userhosts and webhosts. If you need to connect to the Panix MySQL server from another machine, for example, to use a GUI on your desktop to manipulate the database, you can do so if you tunnel your MySQL connection through a Panix userhost.

You do not have set up an SSH tunnel to use our shared phpMyAdmin. For that, simply point your web browser at https://mysql.config.panix.com/ and log in using your database username and password. You only need to set up the SSH tunnel if you want to use a GUI running on a non-Panix server.

MySQL documentation on ssh tunneling: http://dev.mysql.com/doc/refman/4.1/en/windows-and-ssh.html

  1. Create an ssh connection to Panix and open port forwarding. You need to set up a "local" forwarded port with these settings:
    Local port: 9000
    Remote server: mysql2.panix.com
    Remote port: 3306
    (Port 3306 is the standard port for mySQL connections.)
  2. Connect to Panix with your port-forwarded SSH session. Now your local port 9000 is hooked up to the SQL port on Panix's shared mySQL host (if you have a dedicated server, use its name there instead).
    (The local port doesn't have to be 9000, it can be any unprivileged port that you're not using for other purposes. If you are setting up more than one proxy, you'll need a separate session, with a different port number, for each.)
  3. Point your mysql client at 127.0.0.1 (or localhost) port 9000 for mySQL access through the tunnel.
Unix example:
• ssh -f -L 9000:mysql2.panix.com:3306 panix5.panix.com sleep 20
• mysql -h 127.0.0.1 -P 9000 -u <username> -p <dbname>


Last Modified:Wednesday, 30-Jan-2013 12:14:10 EST
© Copyright 2006-2011 Public Access Networks Corporation