SSH: Port forwarding

SSH: Port forwarding

• X11 forwarding
  
• TCP/IP port forwarding
  Create a port at local side
  Create a port at SSH server side
  
• Comments
  No setting required with sshd_config, ssh_config, and TCP wrappers
  
  openssh-2.5.2p2-5 on Red Hat Linux release 7.1 (Seawolf)
  opanssh-3.6.1p2 on Fedora Core release 1 (Yarrow)
  

X11 forwarding

Figure by Kiyoharu Hashimoto.

TCP/IP port forwarding (1)

1. Diagram
   
   Figure by Shigeo Yashiro.
   

   
   Figure by Kiyoharu Hashimoto.
   
   

2. Sample 1 -- secure ftp connection
   (on a window)
   lune$ ssh -L 12345:soleil:21 soleil
   
   
   (on the other window)
   lune$ ftp localhost 12345
   Connected to localhost.
   220 soleil FTP server (Version wu-2.4(3) Mon Oct 14 17:53:16 JST 1996) ready.
   Name (localhost:yashiro):
   331 Password required for yashiro.
   Password: my-PW
   230 User yashiro logged in.
   ftp> passive
   Passive mode on.
   
   
   
3. Sample 2 -- Access web inside of FW from Internet via DMZ host.
   Suppose lune is a host in DMZ, etoile is a web server, and soleil is a host inside of FW.
   Only ssh connections are allowed between outside and DMZ, and between DMZ and inside.
   Test is executed with cygwin on Windows XP.
   
   (on a window)
   lune$ ssh -L 3000:etoile:80 soleil
   { lune:3000 -- (SSH) --> soleil ---> etoile:80 }
   (on the other window)
   $ ssh -L 4000:localhost:3000 lune
   { local:4000 -- (SSH) --> lune ---> lune:3000 }
   (on Netscape, enter the following URL)
   http://localhost:4000
   
   
   
4. Sample 3 -- Copy files between Internet and inside of FW via DMZ host.
   Suppose lune is a host in DMZ, and soleil is a host inside of FW. And file name -s source_file.
   Only ssh connections are allowed between outside and DMZ, and between DMZ and inside.
   Test is executed with cygwin on Windows XP.
   
   (on a window)
   $ ssh -L 4000:soleil:22 lune
   { local:4000 -- (SSH) --> lune ---> soleil:22 }
   (on the other window)
   $ scp -P 4000 source_file localhost:
   $ scp -P 4000 localhost:source_file .
   
   
   

TCP/IP port forwarding (2)

1. Diagram
   
   Figure by Shigeo Yashiro.
   
   
2. Sample 1
   (on a window)
   lune$ ssh -R 3000:etoile:80 soleil
   { soleil:3000 -- (SSH) --> lune ---> etoile:80 }
   
   
3. Sample 2 -- SSH access from LAN host to private address host under router.
   Suppose etoile is a host under router, and soleil is a host in the LAN.
   
   (on a private address host)
   etoile$ ssh -R 3000:localhost:22 soleil
   { soleil:3000 -- (SSH) --> etoile ---> etoile:22 }
   
   
   (on a host that remote port is created.)
   soleil$ ssh -p 3000 localhost
   { soleil:3000 -- (SSH) --> etoile -- (SSH) --> etoile:22 }
   

Comments

1. To check ports, the following commands are helpfull.
   $ netstat -all | grep tcp
   # tcpdump -nnn host hostname