Wednesday, November 21, 2018

How to set up SSH port forwarding in Linux

What is "Port Forwarding" or "Tunneling"?

In addition to the direct access provided by the "ssh" and "scp" commands, the SSH protocol includes a feature called "Port Forwarding", or "Tunneling". This can be used to provide secure access to other services that do not normally encrypt data during transmission.

For example, to receive email, many email programs use the (unencrypted) POP3 protocol to connect to a mail server on port 110. If we can SSH to the mail server before downloading our mail, we can configure the SSH session to "forward" port 110 through the encrypted SSH link. Now, if we configure our email client to connect to port 110 on our local machine it will in fact be connecting to the remote mailserver, but all the data, (i.e. our incoming email), will be transferred over the encrypted SSH link.

If we also forward port 25, (which normally handles SMTP, the outgoing email protocol), then both incoming and outgoing email will be encrypted. Any number of ports can be forwarded in a single SSH session. For example, we could also forward port 80, (HTTP), to provide secure access to a corporate web server.

In effect, it is usually possible to create a pretty good approximation to a VPN, (Virtual Private Network), just by forwarding a handful of common ports, and using scp, (or WinSCP), to transfer files. In fact, a VPN is roughly equivalent to an SSH session where everything is being forwarded over a single secure channel.


To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the following command:

ssh -L local-port:remote-hostname:remote-port   username@hostname

Example: 
ssh -L 8888:it.i88.ca:80 user@mySSHServer -N 
ssh -L 8888:it.i88.ca:80 -L 110:mail.i88.ca:110 \ 

25:mail.i88.ca:25 user@mySSHServer -N 

To check email on a server called mail.example.com using POP3 through an encrypted connection, use the following command:

ssh -L 1100:mail.example.com:110 mail.example.com

Once the port forwarding channel is in place between the client machine and the mail server, direct a POP3 mail client to use port 1100 on the localhost to check for new mail. Any requests sent to port 1100 on the client system are directed securely to the mail.example.com server.

If mail.example.com is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:

ssh -L 1100:mail.example.com:110 other.example.com

In this example, POP3 requests from port 1100 on the client machine are forwarded through the SSH connection on port 22 to the SSH server, other.example.com. Then, other.example.com connects to port 110 on mail.example.com to check for new mail. Note, when using this technique only the connection between the client system and other.example.com SSH server is secure.

SSH also supports dynamic port forwarding via SOCKS. SOCKS defines a standard mechanism for a client to connect to a server by way of a proxy. SSH can serve as the proxy, allowing you to connect to shell.example.org and make connections from there to an arbitrary server such as mail.example.net. Simply run:

ssh -D1080 shell.example.org

to make the connection to shell.example.org and start a SOCKS proxy on localhost port 1080.
(There is no space between "-D" and "1080", at least it is what it should work in my fedora 18 system)

In fedora, configured the proxy settings as follows: clicked on System, Preferences, Internet and Network, Network Proxy