SSH Port Forwarding

SSH is typically used for logging into remote servers so you have shell access to do maintenance, read your email, restart services, or whatever administration you require. SSH also offers some other native services, such as file copy (using scp and sftp) and remote command execution (using ssh with a command on the command line after the hostname).

Whenever we SSH from one machine to another, we establish a secure encrypted session. This first article in this SSH series at properly verifying a server's host key, so that we can be sure that no attacker is able to perform a man-in-the-middle attack and gain access to read or manipulate what we do in that session. Other articles in this series looked at removing the need for static passwords using SSH user identities, and then using ssh-agent to automate the task of typing passphrases.

SSH also has a wonderful feature called SSH Port Forwarding, sometimes called SSH Tunneling, which allows you to establish a secure SSH session and then tunnel arbitrary TCP connections through it. Tunnels can be created at any time, with almost no effort and no programming, which makes them very appealing. In this article we look at SSH Port Forwarding in detail, as it is a very useful but often misunderstood technology. SSH Port Forwarding can be used for secure communications in a myriad of different ways.

SSH tunneling

An SSH tunnel (sometimes referred to as a VPN) is an encrypted network tunnel created through an SSH connection. SSH is frequently used to tunnel insecure traffic over the Internet in a secure way. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files. To mount an SMB file system securely, one can establish an SSH tunnel that routes all SMB traffic to the fileserver inside an SSH-encrypted connection. Even though the SMB traffic itself is insecure, because it travels within an encrypted connection it becomes secure.

In order to create an SSH tunnel, the SSH client is configured to forward a specified remote port and IP address (that is accessible on the SSH server) to a port on the local machine. Once the SSH connection has been established, the user can connect to the specified local port to access the network services that would otherwise be available only at the remote IP address and port.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services provided that outgoing connections on port 22 are allowed. For example, many institutions prohibit users from accessing Internet web pages (port 80) directly without first being examined by a proxy/filter device. However, if users are able to connect to an external SSH server, it is possible for them to create an ssh tunnel to forward port 80 on an external web server to a given port (probably port 80) on their local machine, and thus access that web page by typing http://localhost in their browser.

More commonly, users may set up their own proxy server at home, using free software such as Squid, and construct a tunnel from their workstation to the proxy. Next, by configuring their browser to use localhost rather than the corporate proxy server, users can access any web page they want, bypassing their company's filters and firewalls.

Another method is to use dynamic port forwarding, which creates a local SOCKS 4/5 proxy server that a user can connect to, effectively creating an encrypted tunnel to the remote SSH server. The user can then configure his/her applications to use the SOCKS proxy server, usually for bypassing filters and firewalls.