- To: Penguinillas <slug@xxxxxxxxxxx>
- Subject: [SLUG] SSH Port Forwarding
- From: Jeff Waugh <jdub@xxxxxxxxxxx>
- Date: Fri Aug 17 18:43:01 2001
- Reply-by: Mon Aug 20 18:28:27 EST 2001
- User-agent: Mutt/1.3.20i
Just some random practical documentation written for work purposes, but
foisted off to SLUG for the benefit of all. Manish Singh has also written
one specifically for POP3, which you can find at his website:
http://yosh.gimp.org/Secure-POP-SSH.html
Using SSH Port Forwarding
-------------------------
Let's not muck around:
ssh -f -N -C -L <local-port>:<dest-host>:<dest-port> <gateway-host>
-f Instead of bringing up a shell on the remote machine, SSH
will fork into the background post-auth, so it runs "like a
daemon".
-N Don't run a command. You need to do this if you're going to
fork into the background.
-C Compression, always useful, wasted if you're connecting to
machines on a local network. I've made the fairly good
assumption that you wouldn't be in this instance. ;)
-L "Forward local port to remote address/port"
local-port Local port for the ssh tunnel endpoint
dest-host Destination host, to which you want to tunnel a connection
dest-port Destination port on dest-host, on which the service you
want to tunnel to is listening
gateway-host Host to make ssh connection to, which will tunnel traffic
between you and dest-host.
dest-host is often a machine in the secure network behind gateway-host.
However, gateway-host and dest-host can be the same, if the service is
running on the same machine as the ssh daemon (you'd only bother doing this
if you want to securely authenticate and communicate via insecure protocols
running on that machine).
Example:
ssh -f -N -C -L 10110:remote:110 user@gateway
user@gateway is authenticated, just like you would when ssh'ing in for a
shell normally. The result is:
SSH connected to port 22 on gateway ... from gateway to port 110 on remote
_________ ___________ __________
| | | | | |
| local | - - - Internet - - - | gateway | - - - LAN - - - | remote |
|_________| |___________| |__________|
localhost:10110 on local is forwarded by ssh to and from port 110 on remote
To make life easy, I generally add 10000 to the port number I'm connecting
to for the local port (primarily because I am forgetful and lacking in
mathematical nous).
You'd expect - after seeing the above diagram - that connecting to port
10110 on localhost would bring up the pop server running on remote. True?
Let's see:
lazarus: ~
$ telnet localhost 10110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Hello there.
user user
+OK Password required.
pass pass
+OK logged in.
Rock'n'roll. There are lots of services you can use this for - pop and imap
are two great contenders because they are very frequently used HORRIBLE
PLAIN-TEXT PASSWORD protocols - but you could do it for smtp, vnc, ldap, and
many others. It's also pretty convenient when you need to use services
behind a firewall, like an internal web server.
Anyone have other examples of useful ssh tunnel fu? Practical uses are
always good for demonstration. :)
- Jeff
--
"In addition to these ample facilities, there exists a powerful
configuration tool called gcc." - Elliot Hughes, author of lwm
SLUG Mailing List Archives