Skip to main content

Bastion and Dynamic Port

· 12 min read
Anand Raja
Anand Raja
Senior Software Engineer

Bastion Host

A bastion host is a special-purpose server designed to act as a gateway between a public network (e.g., the internet) and a private network. It provides secure access to resources in the private network by acting as an intermediary. Bastion hosts are commonly used in cloud environments to securely access servers that are not directly exposed to the internet.

The reason for the name "Bastion host" comes from the term "bastion," which refers to a projecting part of a fortification built at an angle to the line of a wall, so as to allow defensive fire in several directions. Similarly, a Bastion host acts as a fortified gateway, protecting the internal network by acting as the only point of entry for administrative access (such as SSH or RDP) and minimizing the attack surface exposed to the public.

Key Features of a Bastion Host

  1. Secure Access:

    • Acts as a single entry point to the private network.
    • Reduces the attack surface by limiting access to internal resources.

  2. Authentication:

    • Requires SSH keys or passwords for authentication.

  3. Logging and Monitoring:

    • Centralizes access logs for auditing and monitoring.

  4. No Direct Access:

    • Internal servers are not directly accessible from the public network.

Use Case

  • A bastion host is used to securely connect to private servers (e.g., databases, application servers) in a Virtual Private Cloud (VPC) or private network.

PuTTY

PuTTY is a free and open-source terminal emulator, serial console, and network file transfer application. It is widely used for connecting to remote servers via SSH, Telnet, or serial connections.

Key Features of PuTTY

  1. SSH Client:

    • Provides secure shell (SSH) access to remote servers.

  2. Port Forwarding:

    • Supports SSH tunneling for secure communication.

  3. Key Management:

    • Works with private keys for secure authentication.

  4. Cross-Platform:

    • Available for Windows, Linux, and macOS.

Using PuTTY with a Bastion Host

To connect to a private server via a bastion host using PuTTY, you can configure an SSH tunnel. This allows you to securely route traffic through the bastion host to the target server.

Steps to Configure PuTTY for a Bastion Host

  1. Open PuTTY:

    • Launch PuTTY on your local machine.

  2. Configure the Bastion Host:

    • In the Session category:
      • Enter the Host Name (or IP address) of the bastion host.
      • Set the Port to 22 (default SSH port).

  3. Add the Private Key:

    • In the Connection > SSH > Auth category:
      • Click Browse and select the private key file (e.g., .ppk file) for the bastion host.

  4. Set Up SSH Tunneling:

    • Go to Connection > SSH > Tunnels:
      • In the Source Port, enter a local port (e.g., 8888).
      • In the Destination, enter the private IP of the target server and port (e.g., 192.168.1.10:22).
      • Click Add to add the tunnel.

  5. Save the Configuration:

    • Go back to the Session category.
    • Enter a name in the Saved Sessions field (e.g., BastionHost).
    • Click Save to save the configuration.

  6. Connect to the Bastion Host:

    • Click Open to connect to the bastion host.
    • Authenticate using the username and private key (or password).

  7. Connect to the Target Server:

    • Open another instance of PuTTY.
    • In the Session category:
      • Enter localhost as the Host Name.
      • Enter the Source Port you configured earlier (e.g., 8888).
    • Click Open to connect to the target server through the bastion host.

How It Works

  • The first PuTTY session connects to the bastion host.
  • The SSH tunnel forwards traffic from your local machine (e.g., localhost:8888) to the target server via the bastion host.
  • The second PuTTY session uses the tunnel to securely access the target server.

Benefits of Using a Bastion Host with PuTTY

  1. Enhanced Security:

    • Limits direct access to private servers.
    • Acts as a single entry point to the private network.

  2. Auditing:

    • Centralizes access logs for monitoring and auditing.

  3. Simplified Access:

    • Reduces the need to expose private servers to the public internet.

Scenario

Here’s an example of how to use PuTTY to connect to a private server via a bastion host

  • Bastion Host:
    • Public IP: 203.0.113.10
    • Username: bastion-user
    • Private Key: bastion-key.ppk
  • Target Server:
    • Private IP: 192.168.1.100
    • Username: target-user
    • Port: 22

Steps

1. Configure the Bastion Host in PuTTY

  1. Open PuTTY:

    • Launch PuTTY on your local machine.

  2. Enter Bastion Host Details:

    • In the Session category:
      • Enter 203.0.113.10 (the public IP of the bastion host) in the Host Name field.
      • Set the Port to 22.

  3. Add the Private Key:

    • Go to Connection > SSH > Auth:
      • Click Browse and select the private key file (bastion-key.ppk) for the bastion host.

  4. Set Up SSH Tunneling:

    • Go to Connection > SSH > Tunnels:
      • In the Source Port, enter 8888 (a local port on your machine).
      • In the Destination, enter 192.168.1.100:22 (the private IP and SSH port of the target server).
      • Click Add to add the tunnel.

  5. Save the Configuration:

    • Go back to the Session category.
    • Enter a name (e.g., BastionHost) in the Saved Sessions field.
    • Click Save to save the configuration.

  6. Connect to the Bastion Host:

    • Click Open to connect to the bastion host.
    • Authenticate using the username (bastion-user) and private key.

2. Connect to the Target Server

  1. Open a New PuTTY Session:

    • Launch another instance of PuTTY.

  2. Enter Target Server Details:

    • In the Session category:
      • Enter localhost as the Host Name.
      • Enter 8888 (the local port configured earlier) as the Port.

  3. Connect:

    • Click Open to connect to the target server through the bastion host.
    • Authenticate using the username (target-user) and password or private key for the target server.

How It Works

  1. The first PuTTY session connects to the bastion host.
  2. The SSH tunnel forwards traffic from your local machine (localhost:8888) to the target server (192.168.1.100:22) via the bastion host.
  3. The second PuTTY session uses the tunnel to securely access the target server.

Example Configuration

Bastion Host Session

  • Host Name: 203.0.113.10
  • Port: 22
  • Private Key: bastion-key.ppk
  • Tunnel:
    • Source Port: 8888
    • Destination: 192.168.1.100:22

Target Server Session

  • Host Name: localhost
  • Port: 8888

Summary Diagram

Explanation:

  • The user connects to the Bastion Host using PuTTY over SSH.
  • A local SSH tunnel is set up (e.g., localhost:8888), forwarding traffic through the Bastion Host to the Target Server's SSH port.
  • The Target Server is only accessible via the Bastion Host, not directly from the internet.

Benefits

  • Secure Access: The target server is not exposed to the public internet.
  • Centralized Entry Point: The bastion host acts as the single gateway to the private network.
  • Auditing: All access to the private server is logged through the bastion host.

Conclusion

A bastion host provides a secure way to access private servers in a network, and PuTTY is a powerful tool for establishing SSH connections. By configuring an SSH tunnel in PuTTY, you can securely route traffic through the bastion host to access private resources.

Dynamic Port Forwarding vs Local Port Forwarding in SSH/PuTTY

Why Choose Dynamic Port Forwarding

When working with a bastion host setup, dynamic port forwarding offers several advantages over local port forwarding:

How Dynamic Port Forwarding Works:

  1. You configure dynamic port forwarding in PuTTY, specifying a local port (e.g., 1080).
  2. PuTTY establishes an SSH connection to the remote server.
  3. PuTTY creates a SOCKS5 proxy server on your local machine (localhost:1080).
  4. You configure your browser or application to use this SOCKS5 proxy.
  5. When your application tries to connect to a website:
    • It sends the connection request to the SOCKS5 proxy
    • The proxy forwards the request through the SSH tunnel
    • The remote SSH server makes the actual connection to the destination
    • Responses are returned through the same tunnel

The "dynamic" aspect means your applications can reach any destination through this single tunnel - the destination is determined at connection time, not when setting up the tunnel.

  1. Multiple Destinations: With a single dynamic port, you can access any number of servers/websites behind the bastion. Local port forwarding requires setting up a separate tunnel for each destination.

  2. No Pre-planning Required: You don't need to know all target servers beforehand. With local port forwarding, you must configure each specific destination in advance.

  3. Browser/Application Integration: Works well with proxy-aware applications that can route selective traffic through the tunnel.

  4. Simplicity: One configuration handles multiple destinations rather than managing multiple local port forwards.

How to Configure Dynamic Port Forwarding in PuTTY

  1. Open PuTTY and enter your bastion host details
  2. Navigate to Connection → SSH → Tunnels
  3. Enter a Source port (e.g., 1080)
  4. Select the Dynamic radio button
  5. Click Add (you'll see D1080 appear in the forwarded ports list)
  6. Connect to your bastion host
  7. Configure applications to use SOCKS proxy at 127.0.0.1:1080

Does the Dynamic Port Number Change?

No, the port number itself does not change automatically. The term "dynamic" refers to:

  • Dynamic destinations: The ability to connect to multiple destinations through a single port
  • Dynamic routing: The proxy determining routes at runtime based on application requests

The port number (e.g., 1080) remains static until you manually change it in your PuTTY configuration.

How Destination Changes Work with Dynamic Port

With dynamic port forwarding:

  1. Your application sends a connection request to your local SOCKS proxy (e.g., localhost:1080)
  2. The request includes the final destination information (hostname/IP and port)
  3. PuTTY receives this information and creates a connection to that destination through the bastion host
  4. Each new request to a different destination follows the same process

For example, when your browser connects to both example.com and 192.168.1.100 through the proxy, two separate connections are created dynamically.

SOCKS (Socket Secure) Proxy Explained

What it is: A proxy protocol that handles any type of traffic (not just HTTP/HTTPS).

Benefits:

  • More versatile than HTTP proxies
  • Can handle any protocol (HTTP, FTP, etc.)
  • Authentication support
  • DNS resolution through the proxy (preventing DNS leaks)

How SOCKS Differs from HTTP Proxies

SOCKS ProxyHTTP/HTTPS Proxy
Supports any TCP/UDP trafficLimited to HTTP/HTTPS traffic
Application-agnosticWeb-focused
Works with any portUsually only ports 80/443
More versatile for SSH tunnelingLimited for general tunneling

How SOCKS and Dynamic Port Work Together

  1. PuTTY creates a local SOCKS5 proxy server on your chosen port (e.g., 1080)
  2. FoxyProxy is configured to use this local proxy
  3. Your browser traffic is sent through FoxyProxy to the local SOCKS5 proxy
  4. PuTTY tunnels this traffic through your SSH connection to the remote server
  5. The remote server makes the actual web requests on your behalf

  • Common Use Cases

    • Bypassing geo-restrictions: Access region-locked content by tunneling through a server in another country
    • Securing public Wi-Fi: Encrypt your browsing traffic through the SSH tunnel
    • Accessing internal networks: Connect to resources on private networks from outside
    • Circumventing network restrictions: Bypass local network filtering

  • Example Configuration

    1. In PuTTY:
    Source port: 1080
    Destination: (leave blank)
    Type: Dynamic
    1. In FoxyProxy:
    Proxy Type: SOCKS5
    Proxy Server: 127.0.0.1
    Port: 1080
    1. To use: Enable FoxyProxy with this configuration when you want to tunnel traffic through your SSH connection.

    This setup creates a secure, encrypted tunnel for your web browsing that can bypass restrictions and protect your privacy.

FoxyProxy and Alternatives for SSH Tunneling

When working with bastion hosts and SSH tunnels, proxy management tools like FoxyProxy can greatly simplify the process of routing traffic through your secure connections. Here's a comprehensive overview of FoxyProxy and its alternatives:

1. FoxyProxy

URL: FoxyProxy for Firefox | FoxyProxy for Chrome

Key Features:

  • Pattern-based URL matching for selective proxy routing
  • Multiple proxy profiles with easy switching
  • Support for SOCKS proxies created by SSH tunnels
  • Color-coded visual indicators showing which proxy is active
  • Rules for automatically switching proxies based on URLs

2. Proxy SwitchyOmega

URL: Chrome | Firefox

Key Features:

  • Advanced rule-based switching similar to FoxyProxy
  • Excellent support for SOCKS5 proxies
  • Profile-based organization of proxy settings
  • Auto-switch based on URL patterns
  • Clean, user-friendly interface

3. Smart Proxy

URL: Firefox

Key Features:

  • Simplified proxy management
  • Quick switching between proxy servers
  • Good support for SOCKS proxies
  • Lower resource usage than some alternatives

4. Proxy Toggle

URL: Firefox

Key Features:

  • One-click enabling/disabling of proxies
  • Simple interface for users who don't need complex rule sets
  • Works well with SSH SOCKS tunnels

5. SwitchySharp

URL: Chrome

Key Features:

  • Older alternative to SwitchyOmega but still functional
  • Simpler interface for basic proxy switching
  • Supports pattern-based switching