SSH Port Forwarding (SSH Tunneling)


ssh -L localport:host:hostport user@ssh_server -N
-L – port forwarding parameters (see below)
localport – local port (chose a port that is not in use by other service)
host – server that has the port (hostport) that you want to forward
hostport – remote port
-N – do not execute a remote command, (you will not have the shell, see below)
user – user that have ssh access to the ssh server (computer)
ssh_server – the ssh server that will be used for forwarding/tunneling

Without the -N option you will have not only the forwardig port but also the remote
shell. Try with and without it to see the difference.

1. Privileged ports (localport lower then 1024) can only be forwarded by root.
2. In the ssh line you can use multiple -L like in the example…
3. Of course, you must have ssh user access on secure_computer and moreover
the secure computer must have access to host:hostport
4. Some ssh servers do not allow port forwarding (tunneling). See the sshd man
pages for more about port forwarding (the AllowTcpForwarding keyword is set to
NO in sshd_config file, by default is set to YES)…

ssh -L user@computer -N
ssh -L -L \ user@computer -N
The second example (see above) show you how to setup your ssh tunnel for web, pop3
and smtp. It is useful to recive/send your e-mails when you don’t have direct access
to the mail server.

For the ASCII art and lynx browser fans here is illustrated the first example:

+———-+<–port 22–>+———-+<–port 80–>o———–+
|SSH Client|————-|ssh_server|————-| host |
+———-+ +———-+ o———–+
localhost:8888 computer

…And finally:
Open your browser and go to http://localhost:8888 to see if your tunnel is working.
That’s all folks!

The SSH man pages say:

-L port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
and whenever a connection is made to this port, the connection is
forwarded over the secure channel, and a connection is made to
host port hostport from the remote machine. Port forwardings can
also be specified in the configuration file. Only root can for-
ward privileged ports. IPv6 addresses can be specified with an
alternative syntax: port/host/hostport

-N Do not execute a remote command. This is useful for just for-
warding ports (protocol version 2 only).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s