SSH port forwarding

Author: sparkdev

source (esp. of quotation or literary allusion):

The SSH port forwarding feature can forward network data from other TCP ports via SSH links and automatically provides the appropriate encryption and decryption services. In fact, this technique is what we often hear about as tunneling, because SSH provides a secure channel for other TCP links to travel.

We know that the FTP protocol delivers data in plaintext. But we can make the FTP client and server transfer data through SSH tunnel, thus enabling secure FTP data transfer.

A more common scenario is that our applications are often restricted by various firewalls. Common ones are banning access to certain websites, disabling certain types of software, while all your internet behavior is monitored and analyzed! Again, we can circumvent these restrictions entirely through SSH tunneling.

As shown above, with SSH port forwarding, the client side of the application and the server side of the application no longer communicate directly, but are forwarded to the SSH client and SSH server to communicate. This allows for two purposes at once: encrypted data transmission and penetration of firewalls!

In specific usage scenarios, port forwarding is subdivided into local port forwarding, remote port forwarding, dynamic port forwarding, etc. This article will describe in detail the principles of the technology and how to use it.

local port forwarding

Suppose we have a host B with a smtp server running on it, listening on port number 25, but only listening on the localhost network interface. This means that only the mail client running on host B can establish a connection to the smtp server. How to set up a mail client on another host A to send and receive emails through the smtp server on host B? A scenario like this can be easily handled with SSH's local port forwarding feature!

Assuming that SSH is installed on both hosts, we can use the SSH client on host A to make a request to the SSH server on host B to create a tunnel that performs port forwarding:.

The operation of this command is shown in the following diagram (this diagram is from the Internet).

After running the above command, the SSH client program listens to localhost:10025 on host A (you can replace 10025 with any port between 1024 - 65535, as long as it does not conflict with an existing port). All messages sent to port 10025 on host A are forwarded to port 25 on host B through an SSH tunnel. Next, you need to configure the mail client program on host A to send messages to

localhost:10025. Once this is done, the mail client on host A can send and receive mail through the smtp server on host B. The specific packet flows are.

The packets returned from the smtp server are returned along the original path to complete the two-way delivery of data.

At this point we have completed a minimal local port forwarding demo presentation。 Next let's talk about what exactly is meant by local port forwarding?

In the above demo we notice that there are two pairs of client and server programs, a client and server for smtp applications and a client and server for SSH. If the application's client and the SSH client are on the same side of the SSH tunnel, and the application's server and the SSH server are on the other side of the SSH tunnel, then this port forwarding type is local port forwarding.The -L option is required to create it.

In the previous demo, the client side of the application and the SSH client are on the same host, and the server side of the application and the server side of SSH are on the same host, which is often not the case.

The scenario in the image above is probably more true to reality (this image is from the internet). The application's client and SSH client are located on two different hosts on the same side of the SSH tunnel, while the application's server side and SSH server are located on two different hosts on the other side of the SSH tunnel. At this point we need to use the following command.

With the -g option applied, Host A will listen not only to the P port of localhost, but also to the P ports of all network interfaces, so the application client on Host C can send messages to the P port of Host A.

Next we have to cover the command format for local port forwarding: the

SSH server host is the host where the SSH server is located, while remote host and remote port refer to the host where the application server is located and the listening port, respectively. If remote host is specified as localhost then the application server and SSH server are considered to be on the same host.

There are two other options that need to be introduced before ending local port forwarding, and they are f and N. The above command logs in to the remote host while creating the tunnel, we don't normally need this login. Besides, once this login is out, the tunnel closes with it. What we would prefer is to be able to create tunnels that run in the background, which is where the f and N options are added.

remote port forwarding

We must distinguish between remote port forwarding and local port forwarding, as they correspond to different application scenarios and of course use different command line options. If the application's client and the SSH's server are on the same side of the SSH tunnel, and the application's server and the SSH's client are on the other side of the SSH tunnel, then this type of port forwarding is remote port forwarding. The structure of remote port forwarding is shown in the following diagram (this diagram is from the Internet).

So, the distinction between local port forwarding and remote port forwarding is mainly based on which part of the SSH client is on the same side of the SSH tunnel as the application! The command format for remote port forwarding is.

Other details are basically the same for both. However, remote port forwarding does not support the -g parameter, which makes it difficult to implement use cases like the following.

The root of this problem lies after we execute the following remote port forwarding command.

Host B can only listen on port 18080 of localhost.

How do I get HostB to listen to port 18080 on all network interfaces on the local machine? This needs to be done by modifying the configuration of the SSH server! Add a line to the SSH server's configuration file /etc/ssh/sshd_config.

Save and restart the SSH server, then re-establish the tunnel:.

At this point, Host B is ready to accept external webhook calls.

dynamic port forwarding

as opposed to dynamic port forwarding, The types of port forwarding described earlier are called static port forwarding。 so-called " static (as in electrostatic force)" is the application server side of the IP The address and the port to listen on are fixed。 Imagine another type of application scenario: Set your browser to access websites in different networks via port forwarding( For example, connecting to a site on the company intranet from home, (onom.) laughing out loud)。 This type of application is characterized by the target server's IP and ports are unknown and always changing, It is impossible to know this information when creating port forwarding。 Only when sending HTTP request to determine the target server's IP and ports。 A static port forwarding approach won't work in this scenario, Thus a dedicated port forwarding method is needed to support the " dynamic port forwarding"。SSH dynamic port forwarding It is through Socks Implemented by protocol, establish dynamic port forwarding time SSH A server is similar to a Socks proxy server, That's why this type of forwarding is also called Socks forwarding (mail, SMS, packets of data)。

The command format for dynamic port forwarding is.

For example.

Note that the target server and port number do not need to be specified in the command. After executing the above command, the SSH client will start listening to port 11080 of localhost. You can specify the Socks server in the browser network configuration on the local machine as localhost:11080. The request in the browser is then forwarded to the SSH server side, from where a connection is established to the target site for communication.


SSH port forwarding is a very useful technology that can be used flexibly not only to solve complicated network problems in engineering projects, but also to add fun to our lives!

● No. 274, enter the number to go straight to this article

● Enter m to get the article directory


Linux Learning

More recommendations for "25 Technical WeChat Public Numbers

Covers: program life, algorithms and data structures, hacking techniques and cyber security, big data technologies, front-end development, Java, Python, web development, Android development, iOS development, C/C++, .NET, Linux, databases, operations and maintenance, etc.

1、Recursion is not a panacea
3、dynamic scienceFacebook The Great Artificial Intelligence RevealAI How to Become an Integral Part of This Social Giant
4、The Reptiles True Story A Long Way to the River 0100
5、python tips sharing xiii

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送