SSH tunneling or SSH port forwarding is a method of creating an encrypted SSH connection between a client and a server machine through which services ports can be relayed.
SSH forwarding is useful for transporting network data of services that use an unencrypted protocol, such as VNC or FTP , accessing geo-restricted content, or bypassing intermediate firewalls. Basically, you can forward any TCP port and tunnel the traffic over a secure SSH connection.
1. Local Port Forwarding with OpenSSH
To use SSH tunneling in Linux, you need to provide your client with the source and destination port numbers, as well as the location of the destination server. The location can either be an IP address or a hostname.
The basic syntax for a local port forward command is straightforward:
ssh -L local_port:destination_server_ip:remote_port ssh_server_hostname
⦁ ssh – Starts the SSH client program on the local machine and establishes a secure connection to the remote SSH server.
⦁ -L local_port:destination_server_ip:remote_port – The local port on the local client is being forwarded to the port of the destination remote server.
⦁ ssh_server_hostname – This element of the syntax represents the hostname or IP address of the remote SSH server.
2. Dynamic Port Forwarding with OpenSSH
By using the ssh command and the –D argument, you can use your SSH client to create a SOCKS proxy on your local machine.
ssh –D local_port ssh_server_hostname
The following command opens a SOCKS proxy at port 5534 on your local machine:
You are now able to configure a local resource, like a browser, to use port 5534. All traffic originating from that resource is directed through the SSH connections established for the defined port.
3. Remote Port Forwarding
The purpose of remote forwarding is to allow a remote server to access resources on your local machine. Remote forwarding represents an inversion of the local forwarding process we explored previously.
4. Remote Port Forwarding with OpenSSH
The basic syntax for a remote port forward command is as follows:
ssh -R remote_port:localhost:local_port ssh_server_hostname
SSH Tunneling can be used to add encryption to traffic that otherwise would not be encrypted. If your business had an old legacy application that used telnet to communicate information back to a server, you could secure that connection with an SSH tunnel.
It can also be used for testing applications without opening their ports to the rest of the network. For example, if you were building a web-based application, you could leave port 80 and 443 closed to the outside on your host firewall and use an SSH tunnel to connect to the web server from your workstation to test it’s functionality.
Before you can begin, you need to check if forwarding is allowed on the SSH server you’ll connect to.
If you’re using the OpenSSH server,
open /etc/ssh/sshd_config in a text editor.
f you find AllowTcpForwarding is set to No, change them to Yes. In addition, if you’re going to use remote port forwarding (discussed later in this article), you also have to set GatewayPorts to Yes. Then, you need to restart the server for the change to take effect.
If you’re on Linux, depending upon the init system used by your distribution, run:
sudo systemctl restart sshd sudo service sshd restart
Again, depending on your distribution, you may find that the service is named ssh instead of sshd.
If you’re on a Mac, you can restart the server like so:
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
If you’re on Windows and want to set up a SSH server, have a look at MSYS2 or Cygwin.
You also need to have a SSH client on the computer you’re working on. On most Unix-like systems, it’s already installed by default. If you’re on Windows 10 and you use Bash on Windows, you can install OpenSSH in it the way you would on a regular Ubuntu system. However, you may need to add the -4 switch, as IPv6 is not supported properly there.
For other versions of Windows, you can use the OpenSSH package from MSYS2 or Cygwin. If you’re not willing to bring an entire Unix-like system on your computer, try Putty.
By creating an SSH tunnel, users apply the data security protections afforded by Secure Shell protocol to data sent over public networks:
Encrypted data and restricted access help ensure the security of your data and network beyond the firewall.
Port forwarding is one of the best methods in protecting your public IP addresses. It will make the end-users become transparent while giving you an additional layer of security to your network.