A collection of commands that summarizes the confusing 'method of establishing an SSH tunnel' with an image diagram



'SSH

port forwarding ' is a technology that encrypts communication to one port with SSH and forwards it to another server's port. SSH port forwarding is also called 'SSH tunnel' because 'data is transferred from port to port through a tunnel'. It's a convenient technology, but it's often confusing in the direction of establishing an SSH tunnel, asking 'Which port do you want to forward ...?'. Engineer Linmoiao Xu has put together an image of such an SSH tunnel with commands.

Visual guide to SSH tunnels
https://robotmoon.com/ssh-tunnels/

◆ Types of port forwarding
SSH tunnels are known as a way to access services that are open only to the internal network from the outside and to encrypt communications. In general, 'local port forwarding' is often used, which transfers ports from the blue local server to the orange remote server via the SSH server.



Contrary to local port forwarding, the figure of 'remote port forwarding' that establishes an SSH tunnel from a remote server to a local server looks like this. It is used when you want to 'pull' an SSH tunnel into a server that is not on the Internet.



'Dynamic port forwarding' is a mechanism that allows you to communicate with other servers from the

SOCKS proxy of the local server via the SSH server. It is used when you want to use the fixed IP address of the SSH server as the source IP address on the local server.



◆ Local port forwarding
Local port forwarding is performed by specifying the '-L' option. In the example below, the communication addressed to '127.0.0.1:8080' on the local server is forwarded to 'example.org:80' via the SSH server.

[code] ssh -L 127.0.0.1: 8080: example.org: 80 ssh-server [/ code]




By omitting the IP address of the local server or using the wildcard '*', all communication to the port with the specified number can be forwarded.

[code] ssh -L 8080: example.org: 80 ssh-server
ssh -L *: 8080: example.org: 80 ssh-server [/ code]




If you want the SSH server to be the 'forwarding destination' directly instead of the 'via destination', you can specify the IP address of the forwarding destination as '127.0.0.1'.

[code] ssh -L 192.168.0.1:5432:127.0.0.1:5432 ssh-server [/ code]




◆ Remote port forwarding
The basic form of remote port forwarding is as follows. Specify the '-R' option. In the figure, communication to port 8080 of the SSH server is forwarded to port 80 of the local server.

[code] ssh -R 8080: localhost: 80 ssh-server [/ code]




If you specify the IP address on the SSH server side, you can transfer only the communication addressed to that IP address.

[code] ssh -R 1.2.3.4: 8080: localhost: 80 ssh-server [/ code]




If you specify a destination IP address other than the local host, the process of forwarding the communication to the SSH server to the local server and then forwarding it to the specified IP address or domain is performed.

[code] ssh -R 8080: example.org: 80 ssh-server [/ code]




◆ Dynamic port forwarding
'Dynamic port forwarding' is performed by specifying the '-D' option. In the figure, all communication to port 3000 on the local server is forwarded to the SSH server.

[code] ssh -D 3000 ssh-server [/ code]




If you want to limit the communication to be forwarded based on the destination, specify the IP address of the local server in the same way as local port forwarding and remote port forwarding.

[code] ssh -D 127.0.0.1: 3000 ssh-server [/ code]




◆ Others
The established SSH tunnel is all that is needed if the connection is lost due to some failure. If you use the 'autossh' command, it will monitor the connection status of the SSH tunnel alive and reconnect.

[code] autossh -R 2222: localhost: 22 ssh-server [/ code]




autossh opens a separate port for monitoring the life and death of the SSH tunnel, but if you specify the '-M 0' option, the SSH tunnel will be reestablished when 'ssh by autossh ends', saving the port. I can do it.

If you want to forward the so-called '

well-known port ', you need to execute the command with privileges.



When transferring communication to a server other than the local host, it is necessary to specify the IP address in the 'Gateway Ports' option in '/ etc / ssh / ssh_config' of the transfer source server. If you want to allow forwarding for all IP addresses, specify 'yes'.

[code] GatewayPorts IP address or GatewayPorts yes [/ code]

in Software, Posted by darkhorse_log