June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
6.14. Tunneling Another TCP Session Through SSH
Problem
You want to secure a client/server TCP connection such as POP, IMAP, NNTP (Usenet news), IRC, VNC, etc. Both the client and server must reside on computers that run SSH.
Solution
Tunnel (forward) the TCP connection through SSH. To secure port 119, the NNTP protocol for Usenet news, which you read remotely from news.example.com:
$ ssh -f -N -L12345:localhost:119 news.example.com
While this tunnel is open, read news via local port 12345, e.g.:
$ export NNTPSERVER=localhost $ tin -r -p 12345
Discussion
Tunneling or port forwarding uses SSH to secure another TCP/IP connection, such as an NNTP or IMAP connection. You first create a tunnel, a secure connection between an SSH client and server. Then you make your TCP/IP applications (client and server) communicate over the tunnel, as in Figure 6-1. SSH makes this process mostly transparent.
Figure 6-1. SSH forwarding or tunneling
The SSH command:
$ ssh -f -N -L12345:localhost:119 news.example.com
establishes a tunnel between localhost and news.example.com. The tunnel has three segments:
The newsreader on your local machine sends data to local port 12345. This occurs entirely on your local machine, not over the network.
The local SSH client reads port 12345, encrypts the data, and sends it through the tunnel to the remote SSH server on news.example.com.
The remote SSH server on news.example.com ...