Found this on the net somewhere...
01/08/04: Open SSH Port Forwarding and Redirect
Updated: 02/04/04 - Cleanup
by Chris Bergeron
SSH is short for Secure SHell and is the client side terminal program on various Unix operating systems from the BSD licensed OpenSSH suite of programs. If your copy of Linux or BSD didn't come with sshd or ssh, download OpenSSH from OpenSSH.org. If you're using a windows client download Putty for windows. Allthough written for ssh on Linux, most of these instructions are easily adopted on other platforms such as Windows Putty.
Purpose:
We'll be covering how to forward ports from a target system to your local computer or from your local computer to a target hosts port. This is useful to provide insecure services through a secure encrypted connection (known as tunneling). Both target machines will only be as secure as their individual setup, but an ssh tunnel provides tight encryption on the actual connection. The packets flowing back and forth between the machines will be securely encrypted.
How-To:
The ssh help file doesn't really cover the matter of forwarding hosts clearly. To some people "-L port:host:host port" may be perfectly clear. Not me, though. I always end up having to try a forward every which way to get it to work. Let's go over a few mock ups of how it should work. An example of forwarding an FTP port from a remote machine to your local machine and forwarding over your local http port to a remote machine will shed some illumination.
Tunneling an application like VNC is identical to our examples. Just use the appropriate ports for your application in the appropriate place. Lets start with the help file explanation of forwarding a remote port to a local computer port and move on to practical examples.
According to the ssh man page "-L port:host:host port" will forward "the given port on the local (client) host" to "the given host and port on the remote side". What this boils down to is that you need to plug in the port you want to forward to on the local machine on the right, the port you want to forward from on the left, and the target host all this is happening to in the middle. Case in point. With the example host pcburn.com the command to push a connection to the FTP port from the local machine to the remote one. Remember, we're taking a connection request from port XXX on the local computer and forwarding it to 21 on the remote computer. So the command to tunnel a local connection to a remote computers port would be:
- Code: Select all
"ssh -L 99:localhost:21 pcburn.com"
to forward requests to the local machines (your computer) port 99 to the remote machine's (pcburn.com) FTP server at port 21. This allows us to connect to PCBurns FTP server through a secure encrypted connection.
Allowing requests to a port on the remote machine to connect to your local computer is explained as "-R port:host:hostport", where "the given port on the remote (server) host" is "forwarded to the given host and port on the local side" in the ssh manpage. So what this does is take a port on your machine and makes it available to a target computer at port XXX. We'll use a HTTP request from the remote machine (pcburn.com) on port 99 and forward it to the local machine at port 80. SSH's command line options to tunnel requests hitting a remote port to the local machine would look like:
- Code: Select all
"ssh -R 99:localhost:80 PCBurn.com"
to forward requests to port 99 on the remote side (pcburn.com) to port 80 on the local machine you're shelling from.
In review. To forward a port on the remote machine to the local machine the syntax is
- Code: Select all
"ssh -L (local port):(your system):(port on target) (target host)"
and the command to forward a port on your machine to the remote machine is
- Code: Select all
"ssh -R (port on target):(your machine):(local port) (target host)"
The first allows you to connect to the remote machine as if it were running a service on your local machines port, and the latter lets you or someone else connect to a port on the remote machine as if it were a service running on your machine. You'll also need the servers set up to allow non-local machines to connect to forwarded connections specifically if that's needed.
Note for Users of Putty on Windows: Putty will create tunnels you've specified when the Openssh window is opened. The same rules apply for Putty on Windows to tunnel ports as ssh from the command line on Linux.
Hopefully these examples and the corresponding commands will help you forward and "pull" ports using the secure shell protocol to make it secure. If any of the examples aren't quite right, just shoot me an e-mail... all the commands are tested but the more examples typed, the more prone to error they become.