GNU/Linux Desktop Survival Guide
by Graham Williams |
|||||
SSH Tunnelling |
Tunnelling allows connections to be made to remote services through an encrypted connection. This is useful if there is a firewall preventing your access to a server from one machine, but you do have access to the server from another machine to which you can use ssh to connect.
Ssh uses port forwarding to establish a connection between a local port and the port which runs the service to be tunnelled on the remote machine (which might be POP or FTP or HTTPS, for example). Once port forwarding is set up you connect to the local port which then forwards the connection through ssh to the remote port. That is, all requests sent to the local port are forwarded to the remote port and thus encrypted, and from the remote port it appears you are actually on that remote host.
Tunnelling requires the remote host to be running an ssh server, which can be checked using telnet to connect to port 22:
$ telnet lynx.togaware.com 22 |
You will either receive a message stating the version of the remote ssh server or an error message similar to:
telnet: Unable to connect to remote host: Connection refused |
The ssh syntax for port forwarding is:
$ ssh -f [kayon@alpine] -L [local port]:[alpine]:[remote port] [command] |
A useful example is tunnelling of POP as described in Section 24.10. We list a number of actual examples here:
Suppose you want to access your secure https server from outside the secure network. The https server uses port 443. suppose you have ssh access to host lynx. Establish the tunnel with:
$ ssh -2 -n -N -f -a -C -L 5443:admin.hq.togaware.com:443 lynx sleep 1000d |
Then you can access this firewall protected HTTPS server locally through https://localhost:5443/.
Here's an example using POP:
$ ssh -2 -n -N -f -a -L 5143:mail-bt:143 lynx sleep 1000d |
Then you can access the POP server on your local machine.