SSH Proxy Local Port Chaining to connect to an Isolated Server

Saturday, 25 Apr 2020

There you are with Internet access to an AWS EC2 instance, Azure Virtual Machine or VPS (Virtual Private Server) as we called them in the good old days, but beyond that - on a Private LAN of some sort (could be an AWS VPC, Azure VNET or Physical LAN) - there is another Server, which only has a Private IP Address. This pesky Server is what you'd like to access SQL Developer on, from your own PC. Hmm...

Diagram time

Here's a more descriptive Network Diagram, showing more specifics around the issue, namely:

  • Your PC/Mac/Laptop
    • Private IP doesn't matter
    • Public IP is
  • Internet-accessible VM
    • Public IP is
    • This is allowed through an Internal Firewall to SSH to (sourced from it's LAN Private IP of
    • This is not allowed to connect on SQL Database (TCP/3306) to your Database Server
  • Database VM
    • No Public IP (not directly accessible from the Internet)
    • Private IP is
    • Has SSH Daemon/Server and SQL Server installed on it

SSH Proxy Local Port Chaining Topology

The ultimate goal is to enable SQL Developer on your PC to somehow speak to SQL Server (TCP/3306) on

SSH Tunnels - Local Port Proxy

Which is where a handy feature of SSH comes in, where it has the ability to Tunnel.

Dynamic Port Tunneling (SOCKS Proxy)

You may have used this prior with Dynamic Port Tunneling, where you do something like this:

ssh -D 1080 user@

Then configure as a SOCKS4 or SOCKS5 Proxy in your Firefox Browser like this:

Firefox SSH SOCKS Proxy Options Screen

And then you can browse some http://internalserver in your Firefox Browser as if you're controlling/appear to be the Internet-connected VM to upstream Servers/Systems. That won't help you here, mind.

Local Port Tunneling

Instead, we're going to use Local Port tunneling, which looks a bit like this:

ssh user@ -L 999:

It's worth breaking down what this does, with some notes:

  • 999
    • This is the port that will be listening on your PC (i.e. or localhost, from your perspective)
    • Any traffic sent to this port is chucked through the Tunnel, for the other side (SSH Server on to deal with
    • This is where you want the other side ( to send your Tunneled traffic to (Destination IP Address)
    • Note in this case, it is itself; the here refers to going to itself, not your PC
    • Think of stuff after the first -L colon as "remote-side stuff"
  • 3306
    • This is where you want the other side ( to send your Tunneled traffic to (Destination TCP Port)
    • This is the TCP-using process (in our case, it'll be another SSH not SQL, as you might think) on the other side (`

In our case, this wouldn't do much - as there is no Database Server (TCP/3306) running on our first Jump Box ( - so the next bit is where the chaining comes in.

Local Port Chaining

Leaving this SSH session (above) open, we open a fresh Terminal/Command Prompt/SSH session from our PC to, with no Tunnels requested (bog standard SSH):

ssh user@

Using this, we now tell to SSH to our target Database (, but this time we want the traffic to pop out at the actual Database Port (3306):

ssh user@ -L 3306:

Finally, we can now connect to on the PC, and it will traverse the two SSH Tunnels and pop out as being - even though that destination doesn't have Internet access.

Note in the above that the choice of using -L 3306 on the PC is irrelevant; this could have been 998; but then the SSH command run against would have had to read -L 998 instead of -L 3306. All you are doing here is setting up listeners, and matching that number up between the two SSH Commands.

What it achieves

SSH Proxy Local Port Chaining Resulting Topology

Which gets you out of a hole, and able to access a "Bastion" Server on a Private LAN or VNET somewhere, as long as you've got SSH access throughout the chain.

Have fun tinkering!

Airgapped iDRAC access using ISOs in Virtual Media

Monday, 20 Apr 2020

Ever had an airgapped Baremetal Server (Cisco, Dell, HP, IBM or Whitebox), where your only access to it is via the BMC (iDRAC/iLO/IMM/CIMC/OOB/"Mgmt") Interface for "security reasons" - only to find you suddenly need to extract configuration files from it, or install an Application to it? So have I:

The problem

You need to update a configuration file, exfiltrate some data or install an Application or Binary onto an airgapped Baremetal Server (i.e. an AAA or RADIUS Authentication Box).

The tools

  • IsoCreator (or equivalent skills using "dd" or built-in tools to create an ISO)
  • Java (assuming your Baremetal's BMC doesn't have a HTML5 Native Console)
  • Access to your iDRAC LAN (OOB LAN or iLO LAN)

The solution

Assuming you've appropriately licensed your iLO or iDRAC for the Virtual Media Service (you did know that not all iDRAC Licenses actually let you use a Virtual Console, right?), and let's say you need to install PuTTY onto your airgapped Baremetal Server:

Yes, I too have had the "joy" of working on an IBM xSeries that had an IMM License that only allowed remote Power Operations, but no KVM Console, Virtual Media or anything else. Ta for that, Big Blue; hope that Red Hat acquisition goes real nice for you, you bag of di...

  1. Create an ISO container of your PuTTY exe's using IsoCreator or dd
    1. genisoimage -o putty.iso -V PuTTY -R -J /home/User/Downloads/putty
  2. Connect to your Baremetal Server using iDRAC KVM Console
    1. Dell iDRAC Virtual Console KVM Setup Screen
  3. Connect "Virtual Media"
    1. Dell iDRAC Virtual Console KVM Virtual Disk Screen
  4. Select your putty.iso and "Map Device" in the iDRAC
    1. Dell iDRAC Virtual Console KVM Virtual Media Connect Screen
  5. Your Putty.exe (or contents of putty.iso) are now available as the D:\ Drive (if Windows OS) or /mnt/cdrom (if Linux OS), or similar on your Baremetal OS
  6. Enjoy!

If you need to exfiltrate data out of the Server, simply use the same "Embed Application you want in your ISO, as a Network Transfer tool" process in reverse; but using the "Map Removable Disk" feature, and ensure the "Read Only" option is unticked, to allow you to use iDRAC Virtual Media as a writable location:

Dell iDRAC Virtual Console Map Removable Disk Screen

I hope that gets you out of the same holes it's got me out of.