Running an AWS EC2 instance with Ubuntu 22.04. I am also running a jupyter server for python development there and connecting to that from my local Ubuntu laptop with ssh tunneling.
#!/usr/bin/env bash
# encoding:utf-8
SERVER=98.209.63.973 # My EC2 instance
# Tunnel the jupyter service
nohup ssh -N -L localhost:8081:localhost:8888 $SERVER & # 8081:Local port 8888:remote port
However, I never opened port 8888 of the ec2 instance by a security group rule. How come the port forwarding is working in that case? Should not it be blocked?
CodePudding user response:
You've just dicovered one of the non-obvious things about security groups: they apply to a network interface, not an instance. This always surprises people who are familiar with IP tables to implement a firewall.
An EC2 instance has one or more elastic network interfaces that allow it to communicate in the VPC. Each EC2 instance must have one primary network interface and up to 4 (iirc) secondary interfaces. Each network interface has at least one permanently-assigned private IP.
When you launch an instance via the API, you specify the network interface configurations and those interfaces are created before the instance launches (you can also attach an existing network interface to the new instance). I believe that you can also attach secondary interfaces via the Console, but typically you just specify security groups and subnet, and that's applied to the primary interface.
The important thing to remember is that the network interface is separate from the actual virtual machine. When you stop an instance, for example, the network interface is detached from the physical VM; when you start that instance again, the network interface is attached to the new VM. Normally the instance's network interfaces are destroyed when you terminate the VM, but that isn't necessary.
Now to answer your actual question: when you established your SSH tunnel, you told it to route traffic to localhost
. So that traffic stays within the network stack of the VM; it does not cross the network interface. And as a result, the security groups attached to that interface aren't applied. I believe that if you configure the tunnel with the private IP of the instance you'll find that the traffic is blocked.
In general, forwarding to localhost
is a Good Thing, because it means that your services (like a Jupyter Notebook) don't need to expose themselves to the local network.
References:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
CodePudding user response:
When using ssh -L
, ssh will listen to local port 8081 and will send that traffic across the SSH connection (port 22) to the destination computer. The ssh daemon that receives the traffic will then forward the traffic to localhost:8888
.
There is no need to permit port 8888 in the EC2 instance security group because it is receiving this traffic via port 22.
An SSH connection does more than just sending the keystrokes you type. It is a full protocol that can pass traffic across multiple logical channels.