SSH Port Forwarding (SSH Tunneling)

Example:

ssh -L localport:host:hostport user@ssh_server -N
where:
-L – port forwarding parameters (see below)
localport – local port (chose a port that is not in use by other service)
host – server that has the port (hostport) that you want to forward
hostport – remote port
-N – do not execute a remote command, (you will not have the shell, see below)
user – user that have ssh access to the ssh server (computer)
ssh_server – the ssh server that will be used for forwarding/tunneling

Without the -N option you will have not only the forwardig port but also the remote
shell. Try with and without it to see the difference.

Note:
1. Privileged ports (localport lower then 1024) can only be forwarded by root.
2. In the ssh line you can use multiple -L like in the example…
3. Of course, you must have ssh user access on secure_computer and moreover
the secure computer must have access to host:hostport
4. Some ssh servers do not allow port forwarding (tunneling). See the sshd man
pages for more about port forwarding (the AllowTcpForwarding keyword is set to
NO in sshd_config file, by default is set to YES)…

Example:
ssh -L 8888:www.linuxhorizon.ro:80 user@computer -N
ssh -L 8888:www.linuxhorizon.ro:80 -L 110:mail.linuxhorizon.ro:110 \
25:mail.linuxhorizon.ro:25 user@computer -N
The second example (see above) show you how to setup your ssh tunnel for web, pop3
and smtp. It is useful to recive/send your e-mails when you don’t have direct access
to the mail server.

For the ASCII art and lynx browser fans here is illustrated the first example:

+———-+<–port 22–>+———-+<–port 80–>o———–+
|SSH Client|————-|ssh_server|————-| host |
+———-+ +———-+ o———–+
localhost:8888 computer http://www.linuxhorizon.ro:80

…And finally:
Open your browser and go to http://localhost:8888 to see if your tunnel is working.
That’s all folks!

The SSH man pages say:

-L port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
and whenever a connection is made to this port, the connection is
forwarded over the secure channel, and a connection is made to
host port hostport from the remote machine. Port forwardings can
also be specified in the configuration file. Only root can for-
ward privileged ports. IPv6 addresses can be specified with an
alternative syntax: port/host/hostport

-N Do not execute a remote command. This is useful for just for-
warding ports (protocol version 2 only).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s