Scott CollierThere are many, many examples of how to set up SSH port forwarding online. Here’s how I do it. In our environment we have many clusters set up – behind a firewall. So, the challenge we have is to be able to efficiently log in and out of clusters and copy files to and from clusters. I don’t want to have to SSH to the SSH Jump Server and then SSH to my clusters. I also don’t want to have to copy files to the SSH Jump Server and then to my clusters.
How I use SSH port forwarding…
Environment:

1. My desktop: Windows
2. SSH Client: Putty
3. SSH Jump Server: Dell Server running Red Hat Linux
4. Clusters in Lab: Platform and ClusterCorp Clusters


Goals:

1. Tunnel SSH traffic from my desktop to the cluster Head Nodes in the lab
2. Tunnel VNC traffic from my desktop to the cluster Head Nodes in the Lab
3. Copy files from my Windows workstation to the remote cluster head nodes
4. Discuss different scenarios where this would be useful.


My network is set up like this at a high level:

How I Use SSH Port Forwarding - The Dell TechCenter


As you can see, I have to get through the SSH Jump Server which is running Linux to different Head Nodes on my clusters in the lab network that are also running Linux. I need to be able to do both SSH port forwarding and VNC port forwarding so I can redirect X windows from the remote head nodes in the lab to my local workstation. We force all traffic into the lab through the SSH Jump Server. I must add that this is a secure, controlled environment as well.
Here’s how I tunnel through our SSH jump server to my clusters.
Download PuTTY and PSCP here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Set up your SSH and VNC ports to be forwarded in PuTTY.

  1. Open your PuTTY client
  2. On the left, click on "Session"
  1. Under 'Host Name' enter "sshJumpServer.network.local", under 'Port' enter "22"
  • On the left expand "Connection"
  • On the left expand "SSH"
  • Click on tunnels
  • Enter a "Source Port" and "Destination IP" address for each port / address you want to forward. The destination IP should be the IP of the device on the lab network. In this case, it will be the public IP of Cluster 1.
  1. To be able to forward SSH traffic (including scp) and VNC, enter:
  1. Example: Source Port - 10004, Destination Address - 192.168.1.22:22 (for SSH)
  2. Example: Source Port - 10007, Destination Address - 192.168.1.200:5901 (for VNC)
  • Click "Add" on each of them
  1. Should look like this in the putty interface when they get added:
  1. L10004 192.168.1.22:22
  2. L10007 192.168.1.200:5901
  • On the left click on "Session" and click "Save"
  • Now just log into sshJumpServer with PuTTY.
  • Here’s a example of what my PuTTY window looks like.
PuTTY window
Now that PuTTY is configured, I usually just launch a instance to my SSH Jump Server and leave it running. Now I can test the other tools and make sure all the forwarding is working.
Using PuTTY:
  1. Open your putty client
  2. In "Host Name(or IP Address)
  1. 127.0.0.1
  • In "Port"
  1. 10004
  • In "Saved Sessions"
  1. Give the session a name, click “Save”
  • Click "Load"
  • Now you should be forwarded to the remote device
To test SCP from a my Windows workstation:
Using PSCP:
  1. You must have a active putty session open so the ports will be forwarded
  2. Download PSCP and put it on your desktop
  3. Open a command prompt on your Windows host
  4. Enter the following command to copy a file from your remote host to your local windows host:

pscp -pw password -P 10004 file1 root@127.0.0.1:/root /.
-pw is for the password
-P is the local port you are connecting to

Using VNC:
1. Configure the remote server that will be running the X windows session you want to redirect to your local Windows workstation
A. Make sure VNC is installed:
# rpm -qa | grep -i vnc
vnc-server-4.1.2-14.el5

B. Set a VNC password for root, or whomever
# vncpasswd
Password:
Verify:

C. Start the vncserver on the remote head node

# vncserver

New 'master.private.dns.zone:1 (root)' desktop is master.private.dns.zone:1

Creating default startup script /root/.vnc/xstartup
Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/master.private.dns.zone:1.log

D. Make sure to either stop iptables or open a port so VNC will work if needed
2. Configure your windows workstation

A. Install TightVNC
B. Launch TightVNC with the IP address of 127.0.0.1 and the local port you are forwarding. Like 127.0.0.1::10007
TightVNC
That should do it.

Now, another interesting use case I’ve seen is that some customers have several different devices in the cluster. Devices such as Ethernet switches, IB switches, storage arrays, etc… So, they don’t have enough IP addresses on their “public” network to assign to all these different devices. They end up plugging all the management ports of these devices into the “private” cluster network switch. With SSH port forwarding; you can still manage all these devices from your desktop very easily.

If you have any tips / tricks you’d like to share about how you manage your clusters, please feel free to post here.

-- Scott Collier