You’re probably already familiar with using SSH commands to access remote systems. The protocol behind the SSH command allows terminal inputs and outputs to flow through secure channels. But did you know that you can also use SSH to securely send and receive other data? One way is to use “port Forwarding,” which allows you to securely connect to a network port during an SSH session. This article shows you how it works.
About the port
Standard Linux systems have a set of network ports assigned, ranging from 0 to 65535. The system reserves ports 0 to 1023 for system use. On many systems, you can’t choose to use these low-end slogans. There are usually several ports for running specific services. You can find these definitions in the /etc/services file on your system.
You can think of a network port as similar to a physical port or a jack that can be connected to a cable. Ports can be connected to a service on the system, similar to the wiring behind a physical jack. One example is the Apache Web server (also known as HTTPD). Web servers typically require port 80 on the host system for HTTP insecure connections and 443 for HTTPS secure connections.
When you connect to a remote system (for example, using a Web browser), you “connect” the browser to a port on your host. This is usually a random, high-end slogan, such as 54001. The port on your host connects to the port on the remote host (for example, 443) to access its secure Web server.
So why use port forwarding when you have so many ports available? These are common situations in the life of a Web developer.
Local port forwarding
Imagine that you are doing Web development on a remote system named remote.example.com. Typically, you enter this system via SSH, but it is behind a firewall that rarely allows other types of access and blocks most other ports. To try out your web application, it helps to be able to access remote systems using a browser. However, thanks to the pesky firewall, you can’t access it the normal way of typing a URL into a browser.
Local forwarding allows you to set up ports accessible through remote systems over an SSH connection. This port appears on the system as a local port (hence “local forwarding”).
Assume your network application is running on port 8000 on remote.example.com. To forward port 8000 on that system locally to port 8000 on your system, use the -l option with SSH at the start of the session:
$ ssh -L 8000:localhost:8000 remote.example.com
Copy the code
Wait, why are we using localhost as a forwarding target? This is because from remote.example.com’s point of view, you are asking the host to use its own port 8000. (Recall that any host can usually connect to itself via a network connection to Localhost.) That port is now connected to port 8000 on your system. Once the SSH session is ready, leave it open and you can view your Web application by typing http://localhost:8000 into your browser. Traffic between systems can now be safely transmitted over SSH tunnels!
If you have sharp eyes, you may have noticed something. What if we want remote.example.com to forward to a different hostname than localhost? If it has access to a port on another system on that network, it can usually forward that port just as easily. For example, suppose you want to access the MariaDB or MySQL service of db.example.com that is also on the remote network. The service normally runs on port 3306. So even if you can’t SSH to the actual db.example.com host, you can use this command to forward it:
$ ssh -L 3306:db.example.com:3306 remote.example.com
Copy the code
Now you can run the MariaDB command on localhost while actually using the db.example.com host.
Remote port forwarding
Remote forwarding lets you do the opposite. Imagine you’re designing a Web application for your friends in the office and want to show them what you’re doing. Unfortunately, though, you’re working in a coffee shop and because of network Settings, they can’t access your laptop over an Internet connection. However, you are also using the remote.example.com system in your office and can still log in there. Your Web application seems to be running fine on port 5000.
Remote port forwarding allows you to tunnel a port from a local system over an SSH connection and make the port available on a remote system. To start an SSH session, simply use the -r option:
$ ssh -R 6000:localhost:5000 remote.example.com
Copy the code
Now, when friends open a browser within the corporate firewall, they can go to http://remote.example.com:6000 to see your work. Just as in the local port forwarding example, the communication takes place securely over an SSH session.
By default, the SSHD daemon runs on the host you set up, so only that host can connect to its remote forwarding port. Suppose your friend wants to be able to show your work to other example.com company hosts who are not on remote.example.com. You need to have the owner of the remote.example.com host add one of the following options to /etc/ssh/sshd_config:
GatewayPorts yes # or
GatewayPorts clientspecified
Copy the code
The first option means that all network interfaces on remote.example.com can use ports that are remotely forwarded. The second means that the client establishing the tunnel can choose the address. By default, this option is set to no.
With this option, you as an SSH client must still specify the interface that can share your side of the forwarding port. This is done by adding a network address range before the local port. There are several ways to do this, including:
$ ssh -R *:6000:localhost:5000 # All networks$SSH - R 0.0.0.0:6000: localhost: 5000# All networks$SSH - R 192.168.1.15:6000: localhost: 5000# Single network
$ ssh -R remote.example.com:6000:localhost:5000 # Single network
Copy the code
Other Matters needing attention
Note that port numbers do not have to be the same on local and remote systems. In fact, sometimes you may not even be able to use the same port. For example, regular users may not forward to the system port in the default Settings.
In addition, you can restrict forwarding on the host. This may be important if you need tighter security on networked hosts. The SSHD daemon process’s PermitOpen option controls whether and which ports are available for TCP forwarding. The default setting is any, which makes all the examples above work. To disable any port forwarding, select None, or only the specific “host: port” allowed. For more information, search PermitOpen in the man pages to configure the SSHD daemon:
$ man sshd_config
Copy the code
Finally, remember that port forwarding only happens when the SSH session is open. If you want to keep forwarding active for a long time, try running the session in the background with the -n option. Make sure the console is locked to prevent it from being usurped when you leave the console.
Via: fedoramagazine.org/using-ssh-p…
By Paul w. Frields, lujun9972
This article is originally compiled by LCTT and released in Linux China