A local (outgoing) tunnel forwards traffic coming to a local port to a specified remote port.
With sshg3
on the command line, the syntax of the
local tunneling command is the following:
client$ sshg3 -L [protocol/][listen-address:]listen-port:dst-host:dst-port server
Setting up local tunneling allocates a listener port on the local client. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the remote server and another connection is made from the server to a specified destination host and port. The connection from the server onwards will not be secure, it is a normal TCP connection.
Figure 8.1 shows the different hosts and ports involved in local port forwarding.
For example, using SSH Tectia Client on the command line, when you issue the following command, all traffic coming to port 1234 on the client will be forwarded to port 23 on the server. See Figure 8.2.
client$ sshg3 -L 1234:localhost:23 username@sshserver
The forwarding address in the command is resolved at the (remote)
end point of the tunnel. In this case localhost
refers to
the server host (sshserver
).
To use the tunnel, the application to be tunneled is set to connect to the local listener port instead of connecting to the server directly. SSH Tectia Client forwards the connection securely to the remote server.
If you have three hosts, for example, sshclient
,
sshserver
, and imapserver
, and you forward the
traffic coming to the sshclient
's port 143
to
the imapserver
's port 143
, only the connection
between the sshclient
and sshserver
will be
secured. The command you use would be similar to the following:
sshclient$ sshg3 -L 143:imapserver:143 username@sshserver
Figure 8.3 shows an example where the Secure Shell server resides in the DMZ network. Connection is encrypted from the Secure Shell client to the Secure Shell server and continues unencrypted in the corporate network to the IMAP server.
Tunnels can also be defined for connection profiles in the Connection Broker configuration file.
The defined tunnels are opened automatically when a connection with the profile is made.
The following is an example from a ssh-broker-config.xml
file:
<profile id="id1" host="sshserver.example.com"> ... <tunnels> <local-tunnel type="tcp" listen-port="143" dst-host="imap.example.com" dst-port="143" allow-relay="no" /> ... </tunnels> </profile>
By default, local tunnels originating only from the client host itself
are allowed. To allow also other machines to connect to the tunnel listener
port, set the allow-relay
to yes
.
When using SSH Tectia Client with the Windows GUI, the tunneling settings can be made under Profile Settings → Tunneling. See Defining Tunneling (SSH Tectia Client).