ssh-ing to hosts behind a firewall

Posted by BinkReddit@reddit | linux | View on Reddit | 10 comments

With all the new Linux users coming from Windows, myself included, I've used a UNIX-like system as my firewall at home for a while now and always SSHed into it and then SSHed into another system behind it.

Today, for the first time ever, I used this firewall as a jump host; used -J to get to my other Linux system and I can't believe how easy it was, how well it worked, and why I haven't tried this in so long.

Linux and open source is so awesome; damn it feels good to be a gangsta.

TL;DR: Use -J to ssh directly to your other Linux machines behind a firewall.

Cheers.

[-]

iamemhn@reddit

Wait until you read the man page and learn you can create a SSH config file to type ssh there that will do the -J for you...

[-]

KlePu@reddit

From man ssh:

-J destination Connect to the target host by first making an ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. IPv6 addresses can be specified by enclosing the address in square brackets. This is a shortcut to specify a ProxyJump configuration directive. Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified jump hosts. Use ~/.ssh/config to specify configuration for jump hosts.

[-]

lathiat@reddit

Also great combined with an ~/.ssh/config stanza like

Host 10...* JumpHost xxx

You can also do wildcard hostnames.

[-]

oxez@reddit

I didn't know about -J! I usually used: ssh <host1> -t ssh <host2> which I guess now looks kind of dumb knowing that -J exists.

Thanks !

[-]

lathiat@reddit

It’s new-ish.

[-]

michaelpaoli@reddit

Oh yeah. I've not uncommonly done ssh "jump box" / "proxy" type connections quite a number of layers deep. Can also do port forwarding over ssh ... and sometimes hopping that through many layers.

And though -J can be quite handy, it only works with a relatively high degree of uniformity. For not-so-uniform connections, the ProxyCommand option can well be used to make quite the series of hops, notably with varying, e.g. login names, keys, ports, etc. Even my simple home \~/.ssh/config has entries that do various ssh proxy hops and layers of such. My work stuff commonly gets way the heck more complicated, not uncommonly covering four or more hops to get to some locations.

[-]

BinkReddit@reddit (OP)

not uncommonly covering four or more hops to get to some locations.

Oh wow. How noticeable is the latency with something like this?

[-]

michaelpaoli@reddit

Typically it's matter of the network connections. Only very rarely are any of the hosts loaded up so much as to significantly contribute to the latency.

$ hostname -s
tigger
$ ssh b 'hostname -s'
balug-sf-lug-v2
$ ssh -J b a 'hostname -s'
tigger
$ ssh -J b,a,b,a,b,a,b,a,b,a,b,a,b,a,b,a,b,a,b,a,b,a,b,a,b,a,b a 'PATH="$PATH:$HOME/bin"; n=5; while [ "$n" -ge 1 ]; do Z; sleep 1; n=$((n - 1)); done; hostname -s'
2025-11-21T06:32:56Z
2025-11-21T06:32:57Z
2025-11-21T06:32:58Z
2025-11-21T06:32:59Z
2025-11-21T06:33:00Z
tigger
$

Yeah, plenty fast and responsive enough for, e.g. vi, xclock -update 1, etc., but I probably wouldn't try to stream high def video over it.

[-]

daemonpenguin@reddit

For people who might be wondering what "-J" is and how it relates to a firewall, the -J flag is a parameter to the ssh command.

If you usually ssh into open host and then use that host to connect to another, you can do this in one step using "ssh -J first-host second-host". It just saves typing the ssh command on the in-between computer.

This doesn't have anything to do with firewalls, in the OP's example the in-between machine just also happens to be acting as a firewall host.

[-]

illumin8ie@reddit

Correct me if I'm wrong, but the '-J' option has the benefit of not storing nor relaying private keys, nor sending key unlock passwords, to the intermediate host, right? SSH has the ability to forward ports, and basically act as a proxy, which this method is probably using.

I wonder how Tailscale stacks up in this situation for connecting any ports of any machine across an e2ee VPN? I started using it recently, and I like it, even if the VPN connection of my Android phone has to sometimes be restarted via the app when changing networks. Turning off "Private DNS" on my phone may have allowed DNS to work over their network.

It seems like Tailscale uses a local connection when both machines are on the same LAN, if the NAT router doesn't block peers connecting with each other, which I think is pretty cool.