134


Chapter 9. SSH Protocol


9.5.2. Port Forwarding


With SSH you can secure otherwise insecure TCP/IP protocols via port forwarding. When using this


technique, the SSH server becomes an encrypted conduit to the SSH client.


Port forwarding works by mapping a local port on the client to a remote port on the server. SSH allows


you to map any port from the server to any port on the client; the port numbers do not need to match


for it to work.


To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the


following command:


ssh  L local port:remote hostname:remote port username@hostname


Note


Setting up port forwarding to listen on ports below 1024 requires root access.


So if you want to check your email on a server called mail.domain.com using POP through an en 


crypted connection, you can use the following command:


ssh  L 1100:mail.domain.com:110 mail.domain.com


Once the port forwarding channel is in place between your machine and the mail server, you can direct


a POP mail client to use port 1100 on localhost to check for new mail. Any requests sent to port 1100


on your system will be directed securely to the mail.domain.com server.


If mail.domain.com is not running an SSH server daemon, but you can log in via SSH to a machine on


the same network, you can still use SSH to secure the part of the POP connection. However, a slightly


different command is necessary:


ssh  L 1100:mail.domain.com:110 other.domain.com


In this example, POP requests from port 1100 on your machine are forwarded through the SSH con 


nection on port 22 to the ssh server, other.domain.com. Then,


other.domain.com


connects to port


110 on


mail.domain.com


to allow you to check for new mail. Note that by using this technique,


only the connection between your system and


other.domain.com


is secure.


Port forwarding can also be used to get information securely through network firewalls. If the firewall


is configured to allow SSH traffic via its standard port (22) but block access to other ports, a connection


between two hosts using the blocked ports is still possible by redirecting their communication over an


established SSH connection.


Note


Using port forwarding to forward connections in this manner allows any user on the client system


to connect to the service to which you are forwarding connections. If the client system becomes


compromised, the attacker will also have access to forwarded services.


System administrators concerned about port forwarding can disable this functionality on the server by


specifying a No parameter for the AllowTcpForwarding line in /etc/ssh/sshd_config and restarting


the sshd service.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved