Tunnel Through SSH to Access Samba Shares
At home I have a local server set up with some Samba shares. Evidently these are not exposed to the internet. I do however find myself on the move and wanting to access those shares. While I cannot get to them directly, I do have a raspberry pi on that network to which I can SSH from outside. To get to the Samba shares, I can tunnel traffic through that SSH connection. As with a lot of these things, it is hard to find out about it, but once you know it is simple enough to understand (or at least understand enough to get it working).
So to summarise, I have:
- My laptop, somewhere on the move. The device I am sitting behind.
- A network at home with
- a server I can SSH into (my raspberry pi), and
- another server that serves Samba shares locally, just for that home network. I want to access some of these Samba shares.
To get there takes just a few steps. First, we make the laptop listen for requests on another IP address. Particularly, we will add another IP address to the loopback interface. This first step is optional if you are on Linux, which already listens to everything in the 127.x.x.x range.
ifconfig lo0 alias 127.0.0.2 255.255.255.0
Running this command (you will likely need root), will make it so that if you send a request to 127.0.0.2, it will now be handled by the computer you ran it on. In my case, I run this on my laptop.
Next up, we will link port 139 on the address 127.0.0.2 to port 139 on the
Samba server. We link port 139 as this is used for Samba connections. This link
will happen through the server we can SSH into. We use the
-L flag of the
SSH command, which expects a format of
localipaddress:localport:remoteipaddress:remoteport to link the local stuff
to the remote stuff. Suppose my Samba server is running on IP 192.168.1.50 of
my home network. I run the following command on my laptop.
ssh my-ssh-server -L 127.0.0.2:139:192.168.1.50:139 -N -T
Note that local IP gets interpreted by the laptop, so I write down 127.0.0.2. The remote one is understood by the SSH server I connect to, so I can just write down 192.168.1.50.
-N is to make the connection not bidirectional, it is safer. The
will make it so you are not dropped into a shell of the SSH server. This way
you do not forget you are using this connection as a tunnel. There is a chance
you have to run this as root. If you do and you need your regular user’s SSH
configuration, you can pass it along with the
-F /path/to/ssh/config flag.
With this setup, if I am on my laptop and send a request to port 139 on IP address 127.0.0.2, my laptop will receive the request. My laptop will then pass the request on, through the connection it has to my SSH server, to the Samba server at the other end. In other words, I can now use my regular Samba client to connect to 127.0.0.2 and see the Samba shares.
To finally make it a little bit cleaner, you can add a hostname in
/etc/hosts. In the running example this would become
Now I just need to tell my Samba client to connect to