SSH

Remote Tunnels

A remote (incoming) tunnel forwards traffic coming to a remote port to a specified local port.

With sshg3 on the command line, the syntax of the remote tunneling command is as follows:

client$ sshg3 -R [protocol/][listen-address:]listen-port:dst-host:dst-port \
username@sshserver

where:

The IP addresses and host names of the destination host and the sshserver can be defined using regular expressions that follow the egrep syntax. No wildcards are supported.

[Note]Note

If dst-host is specified as a domain name rather than IP address, the name will be resolved according to the address family settings of client. For example, if the domain name is resolved to an AAAA DNS record (IPv6) and the address family setting of the client is inet (IPV4), the tunnel will not work.

Setting up remote tunneling allocates a listener port on the remote server. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the local client and another connection is made from the client to a specified destination host and port. The connection from the client onwards will not be secure, it is a normal TCP connection.

[Note]Note

Every user with access to the remote server host will be able to use remote tunnel.

Figure 6.4 shows the different hosts and ports involved in remote port forwarding.

Remote tunneling terminology

Figure 6.4. Remote tunneling terminology


For example, if you issue the following command, all traffic which comes to port 1234 on the server will be tunneled to port 23 on the client. See Figure 6.5.

sshclient$ sshg3 -R 1234:localhost:23 username@sshserver

The forwarding address in the command is resolved at the (local) end point of the tunnel. In this case localhost refers to the client host.

Remote tunnel

Figure 6.5. Remote tunnel


Tunnels can also be defined for connection profiles in the Connection Broker configuration file. The defined tunnels are opened automatically when a connection with the profile is made.

The following is an example from a ssh-broker-config.xml file:

<profile id="id1" host="sshserver.example.com">
 ...
   <tunnels>
      <remote-tunnel type="tcp"
                     listen-port="1234"
                     dst-host="localhost"
                     dst-port="23" />
   ...              
   </tunnels>  
</profile>

The tunneling settings can be made in the Tectia Connections Configuration GUI, under Connection Profiles → Tunneling per each profile. See Defining Tunneling.