Debian Admin

Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.

There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively.

Local port forwarding forwards traffic coming to a local port to a specified remote port. For example, all traffic coming to port 1234 on the client could be forwarded to port 23 on the server (host).

Note: The value of localhost is resolved after the Secure Shell connection has been established – so when defining local forwarding (outgoing tunnels), localhost refers to the server (remote host computer) you have connected to.

Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port. For example, all traffic coming to port 1234 on the server (host) could be forwarded to port 23 on the client (localhost).

Local port forwarding

Accessing a service (in this example SSH port tcp/22, but it could be anything like a web server on tcp/80) on a machine at work (172.16.10.10) from your machine at home (192.168.10.10), simply by connecting to the server work.example.org at work :

$ ssh user@work.example.org -L 10000:172.16.10.10:22

We see the service is available on the loopback interface only, listening on port tcp/10000 :

$ netstat -tunelp | grep 10000

tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 1000 71679 12468/ssh

From your home machine, you should be able to connect to the machine at work :

$ ssh root@localhost -p 10000

Local port forward for anyone at home !

If you want other people on your home subnet to be able to reach the machine at work by SSH, add the option -g :

$ ssh user@work.example.org -L 10000:172.16.10.10:22 -g

We now see the service is available on all interfaces on your home computer, available for anyone to connect to on the local subnet :

$ netstat -tunelp | grep 10000


tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1000 72265 12543/ssh

Anyone on your local subnet should be able to connect to the machine at work by doing this :

$ ssh root@192.168.10.10 -p 10000

Remote port forwarding

Giving access to a service (SSH port tcp/22) on your home machine (192.168.10.10) to people at work

$ ssh user@work.example.org -R 10000:192.168.1.10:22

We see on our server at work (on the loopback interface on port tcp/10000) that we have access to our SSH server at home :

work.example.org$ netstat -tunelp | grep 10000


tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 0 73719534 3809/1

People logged in on the machine work.example.org now should be able to SSH into your home machine by doing :

work.example.org$ ssh user@localhost -p 10000

Remote port forwarding for anyone at work !

If you want everybody on the subnet at work to be able to SSH into your home machine, there’s no -g option for remote forward, so you need to change the SSH configuration of work.example.org, add to sshd_config :

GatewayPorts yes

Connect just as before :

home$ ssh user@work.example.org -R 10000:192.168.1.10:22

Now, it’s listening on all interfaces on the server at work :

work.example.org$ netstat -tunelp | grep 10000


tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 0 73721060 4426/1

Anyone at work can now connect to your home machine by SSH via the server :

anyone.example.org$ ssh anyone@work.example.org -p 10000

Notes

- You would need to log in as root if you want services to listen on a port < 1024.
- Don’t forget to open necessary ports on any firewall either at home or work.
- Unfortunately you can only forward services running on TCP, but there’s a way to forward UDP through SSH using netcat

Random Posts