Recipe 6.14 Tunneling Another TCP Session Through SSH

6.14.1 Problem

You want to secure a client/server TCP connection such as POP, IMAP, NNTP (Usenet news), IRC, VNC, etc. Both the client and server must reside on computers that run SSH.

6.14.2 Solution

Tunnel (forward) the TCP connection through SSH. To secure port 119, the NNTP protocol for Usenet news, which you read remotely from news.example.com:

$ ssh -f -N -L12345:localhost:119 news.example.com

While this tunnel is open, read news via local port 12345, e.g.:

$ export NNTPSERVER=localhost
$ tin -r -p 12345

6.14.3 Discussion

Tunneling or port forwarding uses SSH to secure another TCP/IP connection, such as an NNTP or IMAP connection. You first create a tunnel, a secure connection between an SSH client and server. Then you make your TCP/IP applications (client and server) communicate over the tunnel, as in Figure 6-1. SSH makes this process mostly transparent.

Figure 6-1. SSH forwarding or tunneling

The SSH command:

$ ssh -f -N -L12345:localhost:119 news.example.com

establishes a tunnel between localhost and news.example.com. The tunnel has three segments:

Therefore, when your local news client connects to localhost port 12345:

$ tin -r -p 12345

the connection operates through the tunnel to the remote news server on news.example.com. Data is sent back from the news server to the news client by the same process in reverse.

The general syntax for this forwarding command is:

$ ssh -f -N -Llocal_port_number:localhost:remote_port_number remote_host

local_port_number is arbitrary: select an unused port number higher than 1024. The -N option keeps the tunnel open without the need to run a remote command.

6.14.4 See Also

ssh(1) and sshd(8) discuss port forwarding and its configuration keywords briefly.

The target host of the forwarding need not be localhost, but this topic is beyond the scope of our cookbook. For more depth, try Chapter 9 of SSH, The Secure Shell: The Definitive Guide (O'Reilly).