I saw here a way to do two ssh hops
ssh -L 9998:host2:22 -N host1
ssh -L 9999:localhost:1234 -N -p 9998 localhost
I think I understand what one line does, but not how they work together. Can you keep on doing this to have tunnels within tunnels for many hops? Would it be like this?
ssh -L 9997:host3:22 -N host2
ssh -L 9998:host2:22 -N host1
ssh -L 9999:localhost:1234 -N -p 9998 localhost
It depends on what you are trying to forward via SSH. AKA what you are trying to do.
The -L lport:host:hport syntax makes it so that if you connect to lport on your starting host you will connect to hport on host.
So say you are on hostA. and you want to get to the http (port 80) on hostD that isn't reachable except by hostC that is only reachable by hostB and that is reachable by your starting hostA.
You can run (from hostA):
ssh -L 8080:localhost:8081 hostB
then on that hostB login run:
ssh -L 8081:localhost:8082 hostC
then on that hostC login run:
ssh -L 8082:localhost:80 hostD
You can then (on hostA) access localhost:8080 and connect to hostD's port 80.
Note: you can use the same 8080 on all as you are only using that port once per machine. I just upped the port numbers each connection to better show the correlations between the ports.
The other thing to keep in mind is the host (between the two :'s) is in the context of the machine you are ssh'ing into. so if hostC had direct access to hostD's port 80, you could have instead done the following:
You can run (from hostA):
ssh -L 8080:localhost:8081 hostB
then on that hostB login run:
ssh -L 8081:hostD:80 hostC
