A local (outgoing) tunnel forwards traffic coming to a local port to a specified remote port.
With sshg3
on the command line, the syntax of the
local tunneling command is as follows:
client$ sshg3 -L [protocol/][listen-address:]listen-port:dst-host:dst-port sshserver
Setting up local tunneling allocates a listener port on the local client. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the remote server and another connection is made from the server to a specified destination host and port. The connection from the server onwards will not be secure, it is a normal TCP connection.
For example, when you use Tectia Client on the command line, and issue the following command, all traffic coming to port 1234 on the client will be forwarded to port 23 on the server. See Figure 8.1.
sshclient$ sshg3 -L 1234:localhost:23 username@sshserver
The forwarding address in the command is resolved at the (remote)
end point of the tunnel. In this case localhost
refers to
the server host (sshserver
).
To use the tunnel, the application to be tunneled is set to connect to the local listener port instead of connecting to the server directly. Tectia Client or ConnectSecure forwards the connection securely to the remote server.
If you have three hosts, for example, sshclient
,
sshserver
, and imapserver
, and you forward the
traffic coming to the sshclient
port 143 to
the imapserver
port 143, only the connection
between sshclient
and sshserver
will be
secured. The command you use would be similar to the following one:
sshclient$ sshg3 -L 143:imapserver:143 username@sshserver
Figure 8.2 shows an example where the Secure Shell server resides in the DMZ network. The connection is encrypted from the Secure Shell client to the Secure Shell server and continues unencrypted in the corporate network to the IMAP server.
With transparent TCP tunneling active, there is no need to separately configure application software to use local ports to set up the tunnels. The applications to be tunneled are defined in the Connection Broker configuration (Filter Rules). The transparent TCP tunneling feature automatically captures the defined applications and the Connection Broker creates Secure Shell tunnels to the defined Tectia Server.
By default, local tunnels are allowed to all addresses for all
users. The default setting equals the following in the
ssh-server-config.xml
file:
<services> <rule> <tunnel-local action="allow" /> ... </rule> </services>
The connections can be restricted by specifying allowed addresses with
the src
and dst
elements. If any addresses are
specified as allowed, local tunnels to all other addresses are implicitly
denied. See Local Tunneling Rule Examples for usage
examples.
Using the Tectia Server Configuration GUI, the tunneling settings are made under the Services page on the Local Tunnels tab. See Local Tunnels.
Note | |
---|---|
IPv6-only listeners are not supported for Solaris 9. |