a) Local Port Forwarding,
b) Remote Port Forwarding,
c) Dynamic Port Forwarding
c) X Forwarding
For a full command syntax check the online man pages for ssh here
Local Port Forward
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given
host and port on the remote side. This works by allocating a socket to listen to port
on the local side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over the secure channel,
and a connection is made to host port hostport from the remote machine. The
bind_address of ``localhost'' indicates that the listening port be bound for local use
only, while an empty address or `*' indicates that the port should be available from all interfaces.
Suppose that I want to access a remote host ( 192.168.2.1:80) that is behind an ssh server (myremotemachine). On local machine , set up a port forward from port 8080 to 192.168.2.1:80.
Specifies that the given port on the local (client) host is to be forwarded to the given
host and port on the remote side. This works by allocating a socket to listen to port
on the local side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over the secure channel,
and a connection is made to host port hostport from the remote machine. The
bind_address of ``localhost'' indicates that the listening port be bound for local use
only, while an empty address or `*' indicates that the port should be available from all interfaces.
Suppose that I want to access a remote host ( 192.168.2.1:80) that is behind an ssh server (myremotemachine). On local machine , set up a port forward from port 8080 to 192.168.2.1:80.
$ ssh myremotemachine -L 8080:192.168.2.1:80
Open another console session , on local machine, and check that the service is available on the loopback interface only , listening on tcp/8080.
$ netstat -tunelp | grep 8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 1000 74471 4269/ssh
Then on local browser goto http://localhost:8080/ to access the webpage
On another example, you need to telnet on network device that is accessible only from inside the network.
$ ssh myremotemachine -L 2323:192.168.0.1:23
On local machine confirm that service is run on the loopback interface only , listening on tcp/2323.
Add -g to allow others on same home subnet to connect to remote machine.
Service appears on all interfaces of local host
Other machines on same subnet should use:
Initiates a ssh connection with reverse port forward which will open listening port, to be forwarded back to destination' s port on destination host.
For example you need to access your PC at work but the firewall does not allow a connection initiated from outside. So you bypass company firewall by using an allowed port and create an incoming tunnel from computer at work to your computer at home. And then browse/use the port from home.
$ netstat -nlp | grep 2323
tcp 0 0 127.0.0.1:2323 0.0.0.0:* LISTEN 4406/ssh
Then open another console session and telnet to the loopback interface .
$ telnet localhost 2323
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
**WELCOME TO PIX501**
Add -g to allow others on same home subnet to connect to remote machine.
$ ssh myremotemachine -L 2323:192.168.0.1:23 -g
Service appears on all interfaces of local host
$ netstat -nlp | grep 2323
tcp 0 0 0.0.0.0:2323 0.0.0.0:* LISTEN 4490/ssh
Other machines on same subnet should use:
$ telnet <address-of-localhost> 2323
Remote Port Forwarding
-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to be forwarded to the given
host and port on the local side. This works by allocating a socket to listen to port on the
remote side, and whenever a connection is made to this port, the connection is forwarded
over the secure channel, and a connection is made to host port hostport from the local machine.
By default, the listening socket on the server will be bound to the loopback interface only.
This may be overridden by specifying a bind_address. An empty bind_address, or the address
'*', indicates that the remote socket should listen on all interfaces. Specifying a remote
bind_address will only succeed if the server's GatewayPorts option is enabled
Initiates a ssh connection with reverse port forward which will open listening port, to be forwarded back to destination' s port on destination host.
For example you need to access your PC at work but the firewall does not allow a connection initiated from outside. So you bypass company firewall by using an allowed port and create an incoming tunnel from computer at work to your computer at home. And then browse/use the port from home.
office$ ssh -R 2222:localhost:22 homeserver
Confirm that service is running on the loopback interface
homeserver$ netstat -nlp | grep 2222
tcp 0 0 127.0.0.1:2222 0.0.0.0:* LISTEN -
We are initiating ssh connection with reverse port forwarding (-R) which will open listening port 2222 to be forwarded back to localhost's port 22 and all this will happen on homeserver. If you now open up a terminal on homeserver and type in:
homeserver $ ssh localhost -p 2222
Dynamic Port Forwarding (SSH SOCKS proxy )
If you are using a connection that is not secure, then create an ssh tunnel to the ssh server and use it as a proxy.
$ ssh -D 8080 remotemachine
Then setup browser SOCKS proxy at localhost:8080
X Forwarding
To run a GUI application installed on a remote machine but display it locally$ ssh -X -p 10022 192.168.2.10
Then I run application PUTTY , installed only on the remote machine
$ putty
No comments:
Post a Comment