(originally posted at www.linuxboxadmin.com )
Last time when we talked about transfering files over OpenSSH, I said you can use port forwarding if you insist to use your favorite FTP client, and we have a brief HOW-TO there. This time, we’ll take a deeper look at port forwarding.
- How port forwarding works.Normally network protocols works on two machines: the server and the client. And a link between them. Because the link goes through a mess network, it’s unsecure if the data is not encrypted.OpenSSH fix this by turn the one link to three links, and use the SSH encryption on the link that goes through the public network.Remember the “email conversation” sample we talked about in the first article of this series? Instead of John and the server man talks in the public hall, this time OpenSSH helps both parties to equipt a device with a microphone and an earphone. When John wants to say something to the server man, he talked to his microphone first. He talked in such a low voice that no one would hear. Then the device convert his words into some magic ultrasound and send it out. The device the server man holds get this ultrasound, translate that back to human understandable voice, and speak it out through the server man’s earphone. Now no one passing by could understand what John and the server man are talking.
This is how port forwarding works: It turns the link from machine A to machine B into 3: A to C, C to D, and D to B. A and C are in one trusted network, or on the same machine, which is most of the cases, and so do D and B. And the link between C and D, which pass through the same physical network between A and B, is now encrypted. So now no data could be spyed.
- Two types of port forwarding: 1. localforwardThere are two types of port forwarding, localforward and remoteforward. We’ll talk about localforward first.When we talk about “local” and “remote” with OpenSSH, “local” is the machine you runs the “ssh” command, and “remote” is the machine runs the sshd service.The FTP over SSH example we used in part 2 is a sample of localforward. Let’s re-use it here:
and
We already know what the options mean. Now let’s look at what happens
with these commands:
- The ssh program runs, asking for password/passphase, and logon to
remote-host. - The ssh program binds to port 1234 on the loopback interface
(127.0.0.1) of the local machine, listening. - The lftp program runs, connected to port 1234 of
localhost(127.0.0.1). The SSH program get this request and accept
the connection. - The SSH program on the local machine talks to the sshd program on
the remote-host, asking it to establish a connection to
remote-host:21. - The lftp program talks to the ssh program on localhost:1234 with
clear text - The ssh program on the localhost talks to the sshd program on the
remote-host, with the data encrypted - The sshd program on remote-host talks to the ftp server program on
remote-host, with clear text.As we’ve talked above in the section “How port forwarding works”, the
socket in the middle is encrypted. And because the other two sockets
are all on the same machine, there is a low possibility of security
problem.By default, the ssh program on localhost will only listen on the
loopback interface (127.0.0.1). This means only programs running on
the same machine (localhost) could connect to it. If you want
programs on other machines to connet to this channel, you could use
the “-g” option:
This makes another use of OpenSSH port forwarding: as a proxy. Say if
your company blocks port 80 (for HTTP) on the firewall, but left port
22 (for SSH) open, one way you could access the web world is:
- Leave your home machine open when you left home
- Make an ssh tunnel to your home machine when you get to work:
- Now tell your friends to point their browser to
http://your-workstation:1234, and they’ll be visiting the pages on
web-server.Note we used “-N” option this time instead of “tail -f
/etc/motd”. This tells the ssh program to not to execute a remote
command, and keeps the port forwarding tunnel.
- Two types of port forwarding: 2. remoteforwardRemote forwarding, as the name suggests, binds to a port on the
remote machine, and any connection to that port will be forward to
the local machine.Here is a typical example of remoteforward: The intranet of the
company you are working for is protected with a firewall. Connections
from the intranet to the internet is allowed, but connections from
the internet to the intranet will be blocked. Now you have some
really important work to do during the weekend, and you’d rather work
at home instead of going to the office. You can’t connect from your
home machine to your workstation at work (let’s say the VPN is down
for several weeks) Because of the firewall. Here’s what you are
gonnar to do:
- Leave your home machine running on Friday
- Before you left your workstation for the weekend, run this command:
- After you get home, when you are ready to do some work, run this
command on your home machine:
And after checking the password/passphase, you are logged onto the
workstation in your office.
So what happens here?
- When you run the first command on your workstation, the “-R”
option tells this is a remote forward. So the sshd programon your
home-machine will bind to port 1234 on the loopback interface
(127.0.0.1), and keep the connection with workstation:22. Note
this connection is initialized by your workstation, so the
firewall will let it through. - When you run the 2nd command on your home-machine, the ssh program
connects to 127.0.0.1:1234 on your home-machine, the sshd program
is listening on this port, and will forward you to
work-station:22, as long as the connection is still alive. And
now, you are on your workstation and you can access the intranet
of the company.Note the “-g” option won’t work for remote forwarding. You’ll have to
modify the ssh configuration files to allow other machins connect to
this ssh tunnel. We’ll talk more about ssh configure files in later
articles.
Tags: freebsd, openssh, port forwarding, ssh
Post a Comment
You could use <code type="name"> to get your code colorized