Using this information, readers can learn how to use SSH port forwarding mechanism to solve their daily work / life issues. Learn to use port forwarding in non-secure application to encrypt network environment, the protection of personal privacy and important business information. But also to work to solve some common problems with this technique, for example, to solve some of the limitations caused firewalls and network application itself.
The first section provides an overview
When you enjoy free WiFi in the cafe, there was not thought possible that someone is stealing your passwords and private information? When you find Labs firewall preventing your network application ports are not the victims? Take a look at the SSH port forwarding can bring us any good!
Port Forwarding Overview
Let us first look at the concept of port forwarding it. We know, SSH will automatically encrypt and decrypt data network all SSH client and server between. However, SSH also provide a very useful feature, which is the port forwarding. It can be other TCP port network data forwarding through the SSH link, and automatically provides the appropriate encryption and decryption services. This process is sometimes called "tunnel" (tunneling), because SSH provides a secure channel for other TCP connection for transmission named. For example, Telnet, SMTP, LDAP TCP these applications are able to benefit from, to avoid transmission of plain text user names, passwords and private information. Meanwhile, if your work environment using a firewall to limit the number of network ports, but allow SSH connection, then also be able to use SSH port forwarding TCP communication. Overall SSH port forwarding provides two functions:
Encryption SSH Client SSH Server end-to-end data communication between.
Break through the firewall restrictions prior to the completion of some TCP connection can not be established.
After using port forwarding, TCP port between A and B do not now communicate directly, but forwarded to the SSH client and server to communicate, which automatically encrypts data and bypassing the firewall restrictions.
The second part of the local and remote forwarding forwarding
Local forwarding instance analysis
Let's look at the first example, in the laboratory have a LDAP server (LdapServerHost), but only limits the deployment of applications on this machine is connected directly to the LDAP server. Because if we want to debug or test requires a temporary connection from a remote machine (LdapClientHost) directly to the LDAP server, there is no way to achieve it?
The answer is undoubtedly local port forwarding, and its command format is:
ssh -L : :
Run the following command on LdapClientHost to create a local SSH port forwarding, for example:
$ Ssh -L 7001: localhost: 389 LdapServerHost
It should be noted that in this case we have chosen 7001 as the local port monitor port, when selecting a port number to pay attention to non-administrator account is not authorized to bind 1-1023 ports, it is generally a choice of 1024-65535 and the port number can be between unused.
We can then use the remote machine (LdapClientHost) disposed directly on to the machine on port 7001 (and port 389 on the server instead of LDAP). After the data stream will look like this:
We apply the LdapClientHost data will be sent to port 7001 on the machine,
The data of the machine port 7001 SSH Client will receive encrypted and forwarded to LdapServertHost the SSH Server.
SSH Server decrypts the data received and forwarded to the LDAP 389 port is listening,
Finally, the data returned from the LDAP backtrack to complete the entire process.
We can see that this entire process applications and is not directly connected LDAP server, but is connected to a local monitor port, but SSH port forwarding done all that remains, encryption, forwards, decryption, communications.
Here are a few things to note:
SSH port forwarding is set up through the SSH connection, we must keep this SSH port forwarding to make the connection remains active. Once you close the connection, the corresponding port forwarding will also close.
We can only create a port forwarding in SSH connections established simultaneously, rather than give an existing SSH connection add port forwarding.
You may be wondering the above command Why use localhost, it points to is which machine do? In this case, it points LdapServertHost. Why do we use localhost instead of an IP address or host name of it? In fact, this depends on our previously only how to limit LDAP to access the machine. If you only allow lookback access interface, then naturally only localhost or the IP address of 127.0.0.1 to access, rather than using the real IP or hostname.
Command and must be the same machine it? In fact, is not necessarily, they may be two different machines. We will elaborate on this point in the later examples in.
Well, we have already established in LdapClientHost port forwarding, then the port forwarding can be used by other PC? For example, adding a new ability to directly connect LdapClientHost LdapClientHost2 7001 port? The answer is not in the mainstream of SSH implementation, the local port forwarding is bound lookback interface, which means that only localhost or 127.0.0.1 to use the machine's port forwarding, other machines initiate connections will only get "connection refused. . " Fortunately, SSH also provides GatewayPorts keywords, we can share it by specifying the local port forwarding and other machines.
ssh -g -L : :
Remote forwarding instance analysis
Let's look at a second example, assume that due to the network or firewall we can not use the SSH connection to the LDAP server directly from LdapClientHost (LdapServertHost), but the reverse connection is allowed. It is natural at this time we choose the remote port forwarding.
Its command format is:
ssh -R : :
For example, in an LDAP server (LdapServertHost) end execute the following command:
$ Ssh -R 7001: localhost: 389 LdapClientHost
Local port forwarding and compared this Ituri, SSH Server and SSH Client positions reversed a bit, but the data flow remains the same. We apply the LdapClientHost data will be sent to port 7001 on the machine, and the machine will SSH Server 7001 port receives data is encrypted and forwarded to LdapServertHost the SSH Client. SSH Client decrypts the data received and forwarded to the LDAP 389 port is listening, and finally the data returned from the LDAP backtrack to complete the entire process.
See here, you are not a bit confused yet? Why is it called local forwarding, and sometimes called remote forwarding? Both What is the difference?
Comparison and analysis of local and remote forwarding forwarding
Yes, SSH Server, SSH Client, LdapServertHost, LdapClientHost, local forwarding, remote transponder, so many confusing terms really easy. Let us analyze what this structure it. First, SSH port forwarding naturally requires SSH connection, and SSH connections are directional, Client from SSH to SSH Server. Our application is also a direction, such as the need to connect LDAP Server, LDAP Server Server is the natural end, the direction of our application is connected to the connection from the application to the Client-Server-side applications. If these two connections in the same direction, then we say that it is a local forwarding. If both directions are inconsistent, we say that it is remote forwarding.
We can recall two examples above to make a comparison.
LdapClientHost is also the client application is SSH Client, both from its connection point LdapServertHost (both LDAP server is SSH Server).
LdapClientHost is the client application, but it is the SSH Server; and LdapServertHost LDAP server is, but it is SSH Client. Thus two opposite directions connected.
Another method is easy to remember, Server-side ports are predefined fixed port (SSH Server port 22, LDAP port 389), and Client-side ports are available for dynamic port we choose (as described in the example chosen 7001 port). If both Server-side in the same machine, two ports Client side are on another machine, then this is a local connection; if four ports distributed across two machines, each machine have a Server-side port, a Client-side port that is a remote connection.
After a clear distinction between the two, look at the similarities between the two. If under your environment, allows both LdapClientHost initiate SSH connections to LdapServerHost, also allows LdapServerHost initiate an SSH connection to LdapClientHost. So when we choose a local or remote forwarding forwarding it is possible, to complete the same function.
Next, let's look at an advanced version of the port forwarding. Before we relate to all kinds of connections / Forward only relates to two machines, remember that we mentioned a problem in the local forwarding it? Local forwarding command and may be a different PC?
ssh -L : :
The answer is yes! Let's look at a relates to four machines (A, B, C, D) example.
In SSH Client (C) the following command to establish a connection and SSH port forwarding:
$ Ssh -g -L 7001: : 389
Then connect the machine (C) 7001 port to our application client (A) configuration. Note that we specify "-g" parameter in the command to ensure that the machine (A) to use the machine (C) the establishment of a local port forwarding. The other noteworthy that, in the above-mentioned connection, (A) <-> (C) and (B) <-> connection is not secure connection (D) between, without SSH encryption between them and decryption. If the network is not between them trusted network connection, we need to be careful to use this connection a.
The third part of other types of forwarding
Dynamic Development Case Study
Well, dynamic forwarding, sounds cool. When you see here, there is no thought that we have already discussed the local forwarding, remote forwards, but the premise is required to have a fixed application server port number, such as 389 in the example LDAP port on the front end of the service. But if there is no port number is how to do this? Wait, what kind of applications will not have this port number it? Ah, for example, a browser for Web browsing, such as MSN and so on.
When we are in an unsecured WiFi Internet environment, forwarding with SSH to protect our dynamic Web browsing and MSN information is undoubtedly very necessary. Let's first look at the dynamic forwarding command format:
$ Ssh -D
$ Ssh -D 7001
It seems very simple, we still chose 7001 as the local port number, in fact, here is to create an SSH SOCKS proxy service. Take a look at the help file description of the -D parameter:
This works by allocating a socket to listen to port on the local
side, and whenever a connection is made to this port, the con-
nection is forwarded over the secure channel, and the applica-
tion protocol is then used to determine where to connect to from
the remote machine. Currently the SOCKS4 and SOCKS5 protocols
are supported, and ssh will act as a SOCKS server. Only root
can forward privileged ports. Dynamic port forwardings can also
be specified in the configuration file.
After using the simple, we can use localhost: 7001 as the normal SOCKS proxy to use, can be set directly on the browser, or MSN. In SSH Client Agents can not access the site now also can browse. And here need is worth noting that at this time the SSH package includes only the scope of protection from the browser (SSH Client side) is connected to the end of the SSH Server, SSH Server does not include the end to the connection to the target site. If the security of the latter half of the connection can not be fully guaranteed, this approach is still not the right solution.
X protocol forwarding instance analysis
Well, let us look at a final example - X protocol forwarding.
Our daily work may often remote login to the Linux / Unix / Solaris / HP and other machines to do some development or maintenance, and often need to run some programs in GUI, such as requiring a graphical interface to install DB2 / WebSphere, etc. . At this time there are usually two choices to implement: VNC or X Window, let's look at the latter.
Use X window is usually required to be installed: X Client and X Server. In this case our X Client is accessed by remote Linux / Unix / Solaris / HP, and our X Server is initiated access local machine (for example, before you are using a laptop or desktop). The X Client X terminal window is displayed in the X Server side needs to specify in advance in the X Server X Client end position, the command format is as follows:
export DISPLAY = : .
export DISPLAY = myDesktop: 1.0
X applications can then be run directly, X window will automatically open in our local side.
Everything is operating normally, but this time the IT department suddenly remote Linux / Unix / Solaris / HP preceded by a firewall. It is very unfortunate, X protocol is not in the approved list adopted by the. How to do? Only use VNC yet? No, in fact, as long as the use of SSH port forwarding to pass, but also on the X communications data encryption done, really serve two purposes. (Of course, before using this method it is best to consult the relevant IT department compliance with the appropriate safety regulations in order to avoid illegal operations.)
Establishing command is also very simple, following a launch directly from the local machine (X Server side) of the SSH connection to:
$ Ssh -X
After establishing a direct connection can run remote X applications. Note that after the establishment of X forwarding automatically sets the DISPLAY environment variable is usually set to localhost: 10.0, we do not need and should not be modified again after connecting this environment variable.
A more common scenario is that our local machine is a Windows operating system, then you can choose to open source XMing as our XServer, and SSH Client can be arbitrarily selected, such as PuTTY, Cygwin SSH access can be configured at the same time establish X forwarding.
Section IV summarizes
So far, we have completed the local port forwarding, remote port forwarding, dynamic port forwarding, and introduce X forwarding. In retrospect, the general idea is to be forwarded by the TCP connection to the SSH channel to address data encryption, and break through the firewall restrictions. For some well-known port number of applications, such as Telnet / LDAP / SMTP, we can use a local or remote port forwarding port forwarding to achieve their goals. Dynamic port forwarding, you can achieve a SOCKS proxy encryption and so break through the firewall for Web browsing restrictions. For X applications, it is undoubtedly the most suitable for the X forwarding. While each part we are just a brief moment, but if flexible application of these techniques, I believe in our everyday life / work will also be helpful.