Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure - see Figure Encrypted SSH2 tunnel.
The client-server applications using the tunnel will carry out their own authentication procedures, if any, the same way they would without the encrypted tunnel.
The protocol/application might only be able to connect to a fixed port number ( e.g. IMAP 143). Otherwise any available port can be chosen for port forwarding.
Privileged ports (below 1024) can be forwarded only with root privileges.
There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively. Local port forwarding forwards traffic coming to a local port to a specified remote port.
For example, if you issue the command
ssh2 -L 1234:localhost:23 username@host
all traffic coming to port 1234 on the client will be forwarded to port 23 on the server (host
). Note that localhost
will be resolved by the sshdserver after the connection is established. In this case localhost
therefore refers to the server (host
) itself.
Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port.
For example, if you issue the command
ssh2 -R 1234:localhost:23 username@host
all traffic which comes to port 1234 on the server (host
) will be forwarded to port 23 on the client (localhost
).
It is important to realize that if you have three hosts, client
, sshdserver
, and appserver
, and you forward the traffic coming to the client
's port x
to the appserver
's port y
, only the connection between the client
and sshdserver
will be secured. See Figure Forwarding to a third host. The command you use would be something like the following:
ssh2 -L x:appserver:y username@sshdserver
No comments:
Post a Comment