SSH

Local Tunnels

Non-Transparent TCP Tunneling
Non-Transparent FTP Tunneling
SOCKS Tunneling

A local (outgoing) tunnel forwards traffic coming to a local port to a specified remote port.

With sshg3 on the command line, the syntax of the local tunneling command is as follows:

client$ sshg3 -L [protocol/][listen-address:]listen-port:dst-host:dst-port sshserver

where:

The host name or IP address of the destination host and sshserver can be defined as regular expressions that follow the egrep syntax, but no wildcards are supported.

[Note]Note

If dst-host is specified as a domain name rather than IP address, the name will be resolved according to the address family settings of sshserver. For example, if the domain name is resolved to an AAAA DNS record (IPv6) and the address family setting of the server is inet (IPV4), the tunnel will not work.

Setting up local tunneling allocates a listener port on the local client host. Whenever a connection is made to this listener, the connection is tunneled over Secure Shell to the remote server and another connection is made from the server to a specified destination host and port. The connection from the server onwards will not be secure, it is a normal TCP connection.

[Note]Note

Every user with access to the local client host will be able to use the local tunnels.

Figure 7.1 shows the different hosts and ports involved in local tunneling (port forwarding).

Local tunneling terminology

Figure 7.1. Local tunneling terminology

For example, when you issue the following sshg3 command on the command line, all traffic coming to port 1234 on the client host will be forwarded to port 23 on the server.

client$ sshg3 -L 1234:localhost:23 --abort-on-failing-tunnel username@sshserver

The forwarding address in the command is resolved at the (remote) end point of the tunnel. In this case localhost refers to the server host (sshserver).

In this example, also the --abort-on-failing-tunnel option is specified. It causes the command to abort if creating the tunnel listener fails (for example, if the port is already reserved). Normally if the connection to the server succeeds, but creating the listener fails, no error message is given.