===============================================================================
Port Forwading and Socks Proxys

Also see 
  Shep  -- a Go script that only provides ssh port forwarding
           https://git.griffith.edu.au/S3-Unix/shep

===============================================================================
Encrypted (port forward) links (for any single service)

   ssh -L X:destination:Y firewall

This will create a local port X which forwards connections and data to the
machine "firewall", and then on to port Y on "destination".

A client program (application) can then connect to "localhost:X" to contact
the server at "destination:Y".  The server program on "destination:Y" however
will see the traffic from your client program coming from the machine
"firewall", even though client is not actually running on that machine.

In other words it sets up a link between the local machine and the one on
"firewall" such that  "localhost:X" delivers to "destination:Y" via that
firewall host.

Communications links...    ssh -L X:destination:Y firewall

  "client prog" -normal tcp-> "localhost:X"
       "localhost"  ====ssh encrypted====> "firewall"
          "firewall" -normal tcp->  "destination:Y" (server program)

For a example of this see    http://www.uk.research.att.com/vnc/sshvnc.html

Add a -C (+C in ssh2) to compress the link as well as encrypt it.
A extra -N option means no remote command or login is needed, just the link.
and -f to automatically background the command once logged in.

Example: create a mongodb link form your local machine
to one running on "remote_server"

   ssh -NfL 27017:localhost:27017 user@remote_server


NOTE: by default the "X" port connects to the loopback interface.  This means
only client programs on the local machine can use it.  If you like client
programs on another machine on your network to use port "X" on the initial
machine, then also add the option "-o GatewayPorts=yes" or -g.

Note: that as long as "localhost" and "firewall" has SSH, then either client
or sever application, can be running on a window machine, not just UNIX, or
linux!  Also note that the links between the client and server applications
and the SSH link ports are NOT encrypted, so should be kept local, or at least
on the same subnet.

The -R option is the same as -l except that the client / server positions are
switched.  EG: X is the port the remote machine clients connect to while
destination and Y is where the local machine transfers connections.

Communications links...    ssh -R X:destination:Y   firewall

  "client prog" -normal_tcp-> "firewall:X"
        "firewall"  ====ssh encrypted====> "localhost"
            "localhost" -normal->  "destination:Y" (server program)

For example

    ssh -NfL 4444:server:25565 firewall

  now run your program connecting to localhost:4444
  and it will connect to server:25565 from the machine firewall

  when finished kill the ssh connection (DANGER, caution advised)

    killall ssh

If the client connecting to the remote system is not local, then you must do
add "0.0.0.0" to the command, so it binds to ALL network ports.
     ssh -L 0.0.0.0:X:destination:Y   firewall

---

NOTE: You can also set up such ports (if allowed) on an existing connection.
To do this you will need to use Escaped Control Commands.

First make it a bit more verbose
   ~v
   ~v
   ~v
Then jump into the command control mode
   -C
You can get help using
   -h

You can now issue the various port forwarding options...

      -L[bind_address:]port:host:hostport   # Request local forward
      -R[bind_address:]port:host:hostport   # Request remote forward
      -D[bind_address:]port                 # Request dynamic forward
      -KL[bind_address:]port                # Cancel local forward
      -KR[bind_address:]port                # Cancel remote forward
      -KD[bind_address:]port                # Cancel dynamic forward

------------------------------------------------------------------------------
Socks Proxy via a firewall host.

  ssh -NX -o BatchMode=yes -D 8080 firewall &

You can now point your web cliient and other network utilities to port 8080
on the local machine to socks connect via your firewall host to anywhere.

For example...

   curl -v --socks5 localhost:8080 -m 30 -L http://www.aol.com.au/ | wc

Unfortunatally you cannot set environment variables to define a default socks
proxy server (see next).  You must tell each application what it is.  You can
use a library replacement technique to automatically do this though.

You can ssh through the socks proxy using the ssh configuration...

   ProxyCommand /usr/bin/nc -X 5 -x localhost:8080 %h %p

The -X option requires the Non-GNU, or OpenBSD version of netcat,  eg: netcat

-------------------------------------------------------------------------------
Web Proxy via firewall and another open web proxy server (old method)

If you can find a open web proxy you have access to say   proxy_ip:3128
This you can do this...

  ssh -NX -o BatchMode=yes -L 4444:proxy_ip:3128  firewall

  curl --proxy localhost:4444  -m 30 http://www.aol.com.au/ | wc

You can no define environment variables like...
  # for lynx
  HTTP_PROXY =  "http://localhost:4444/"
  NO_PROXY   =  ".list.of.local,.domains,.not.to.proxy"
  # for curl
  http_proxy =  "$HTTP_PROXY"
  no_proxy   =  "$NO_PROXY"

and it test with...

   curl -m 30 http://www.aol.com.au/ | wc

and/or set the proxy setting of your web browser, and browse/download

This is harder to setup (and find an open proxy on the web) but has the
advantage that only connections from the firewall is to that web proxy.  This
makes it much more difficult for system adminastrators of the firewall to
figure out what sites you are looking at and downloading from.

-------------------------------------------------------------------------------
Web proxy via ssh (new method)

Problem.  The local machine is not allowed to connect to the world
But machine firewall can. Also a web proxy is available at proxy:8080

Solution.  Start a local port link that will connect to the web proxy via
firewall.

Run the command...
   ssh -f -N -L 8080:proxy:8080 firewall

This will setup a local port 8080 which connects via ssh to "firewall" This in
turn setups up a multi-connection server that links to "proxy:8080" from
"firewall".

Now point your browser to use "localhost:8080" as its proxy and it will
download web pages via "firewall" from "proxy:8080".

       browser ---->  localhost:8080 ===ssh===> firewall ----> proxy:8080

To kill the proxy, kill ssh command.

SSH Link Notes...
  * The "-f" option ensures that the ssh backgrounds
  * The -N means no background process is needed on "firewall"
  * Only one link is made between the two machines "localhost" and "firewall"
    to serve the multiple links between the apps and "localhost:8080" and
    between "firewall" and "proxy:8080".

Netscape Browser Notes...
  * After setting the preferences, as soon as a new page is requested
    netscape will connect 4 to 8 times to the "localhost:8080" proxy.
  * Netscape holds these connections open
  * Netscape only releases the connections when killed
    OR   preferences changed AND a new page is about to be loaded

-------------------------------------------------------------------------------
SSH ad hoc VPN
Requires root access on both ends

See also "sshuttle"  a SSH VPN command to make this much easier
  https://antofthy.gitlab.io/info/apps/sshuttle.txt

---
The following uses 'tun' devices...

Take this example with two networks. One network has the address range
10.0.50.1 through 10.0.50.254. The other has the address range 172.16.99.1
through 172.16.99.254. Each has a machine, 10.0.50.1 and 172.16.99.1
respectively, that will function as a gateway. Local machine numbering starts
with 3 because 2 will be used for the tunnel interfaces on each LAN.


              +----10.0.50.1       172.16.99.1----+
              +    10.0.50.2 ===== 172.16.99.2    +
              |                                   |
10.0.50.3-----+                                   +---172.16.99.3
              |                                   |
10.0.50.4-----+                                   +---172.16.99.4
              |                                   |
10.0.50.5-----+                                   +---172.16.99.5
              |                                   |
10.0.50.etc---+                                   +---172.16.99.etc
              |                                   |
10.0.50.254---+                                   +---172.16.99.254

First a tun device is created on each machine, a virtual network device for
point-to-point IP tunneling. Then the tun interfaces on these two gateways are
then connected by an SSH tunnel. Each tun interface is assigned an IP address.

The tunnel connects machines 10.0.50.1 and 172.16.99.1 to each other, and each
are already connected to their own local area network (LAN). Here is a VPN with
the client as 10.0.50.0/24, remote as 172.16.99.0/24. First, set on the client:

On client

$ ssh -f -w 0:1 192.0.2.15 true
$ ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
$ route add 172.16.99.0/24 10.1.1.2

On Server

$ ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
$ route add 10.0.50.0/24 10.1.1.1


https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Passing_through_a_gateway_with_an_ad_hoc_VPN

-------------------------------------------------------------------------------