A remote (incoming) tunnel forwards traffic coming to a remote port to a specified local port.
sshg3 on the command line, the syntax of the remote tunneling command is
client$ sshg3 -R [protocol/][listen-address:]listen-port:dst-host:dst-port server
Setting up remote tunneling allocates a listener port on the remote server. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the local client and another connection is made from the client to a specified destination host and port. The connection from the client onwards will not be secure, it is a normal TCP connection.
For example, if you issue the following command, all traffic which comes to port
1234 on the server will be forwarded to port
23 on the
client. See Figure 8.4.
sshclient$ sshg3 -R 1234:localhost:23 username@sshserver
The forwarding address in the command is resolved at the (local) end point of the tunnel.
In this case
localhost refers to the client host.
By default, remote tunnels are allowed from all addresses for all users. The default
setting equals the following in the
<services> <rule> <tunnel-remote action="allow" /> ... </rule> </services>
The connections can be restricted by specifying allowed addresses with the
listen elements. If any addresses are specified as
allowed, remote tunnels to all other addresses are implicitly denied. See Remote Tunneling Rule Examples for usage examples.
The server starts listeners according to the current address family settings. For example,
if the server is configured for IPv4 only, the following command will start listener on port
client$ sshg3 -R 2001:localhost:2002 user@server
If the address family is
any, two listeners will be started, on address
127.0.0.1 on the same port
Using the Tectia Server Configuration GUI, the tunneling settings are made under the Services page on the Remote Tunnels tab. See Remote Tunnels.