Step 6.1 Port Forwarding
Overview
Problem: Since many programs use services that send clear-text data over the network, it is desirable to find something that can be used to encrypt the network traffic for these services while minimizing any change to end users. SSH provides this functionality with port forwarding.
Port forwarding allows a user to create an encrypted session from a client to a remote server for any TCP-based service by tunneling the service through SSH. Of course, this requires that the user have an account on the remote server and that the OpenSSH daemon is running on the server.
OpenSSH allows you to configure port forwarding from the command line using the “L option as shown below:
$ ssh -L local_port:remote_host:remote_port hostname
where
- local_port = the port on the local host that will listen for local connections
- remote_host = the remote host where the service you wish to port forward is located
- remote_port = the port on which the remote host is listening for the service you wish to port forward
- hostname = the host to which you are creating an SSH session to
The local port can be any port on the local machine that does not already have a listening service. If you wish to utilize a reserved port (below 1024), you must have root privileges on your local machine.
As long as the service you wish to forward through the SSH tunnel uses TCP to communicate, such as HTTP, FTP, POP3 or SMTP, you should be able to use port forwarding to encrypt the service. The following example will demonstrate how to use SSH port forwarding to check your email on a remote UNIX server from a local UNIX machine. This example will use SMTP for sending email and POP3 for retrieving email. These services listen on TCP ports 25 and 110, respectively.
Note |
The machine which becomes the terminating point for your port forwarding tunnel does not have to be the machine to which you create an SSH tunnel. For example, you could SSH to server1.example.com and create an SSH port forwarding tunnel to server2.example.com with the following command: $ ssh -L 25:server2.example.com:25 server1.example.com This will work as long as server1.example.com can contact server2.example.com . Make sure you realize that if you do this, your traffic will only be SSH-encrypted from your local machine to server1.example.com - it will be in clear-text from server1.example.com to server2.example.com . |
Action 6 1 1 Use OpenSSH to set up port forwarding
We first need to connect to the remote machine server.example.com and set up port forwarding by running the following command:
$ ssh --L 1125:server.example.com:25 -L 1230:server.example.com:110 -l sshuser server.example.com
This command tells OpenSSH to open an SSH session to remote host server.example.com as user sshuser and to set up port forwarding so anything connecting on local port 1125 will be forwarded to remote port 25 and anything connecting on local port 1230 will be forwarded to remote port 110. The local ports could have been any that do not already have a listening service.
If we had wanted to use any of the reserved ports below 1024, we would have had to be root in order to set up the SSH port forwarding. If your mail client cannot be set up to talk on non-standard ports, you may be required to set up port forwarding as root.
If OpenSSH succeeds in making a connection to the remote host, you will be prompted for authentication to the remote host. After successfully authenticating to the remote host, you will be presented with a shell prompt. Port forwarding will be active until this session is closed.
Action 6 1 2 Verify port forwarding is working
We know we have a shell session opened to the remote host, but how can we verify that port forwarding is active? This can be done using the netstat command. Using the “an options with netstat displays information about all services, including listening services, on the local machine. With this information, we can verify that port forwarding is configured properly.
- Open another shell prompt on the local machine.
- At the prompt, run the netstat command as follows :
$ netstat -an more
(Piping the command through more will prevent the information from scrolling off the screen.) The following information should be displayed:
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:1125 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:1230 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:22 192.169.3.1:1189 ESTABLISHED
The amount of information displayed will vary depending on your operating system, but you should see ports 1125 and 1230 on the local host listening, as shown above.
Action 6 1 3 Set up Pine to send and retrieve email through an SSH tunnel
One of the most common UNIX mail client programs is Pine. Pine is a command line program maintained by the University of Washington and can be downloaded from http://www.washington.edu/pine. The following are the steps required to configure Pine to exchange mail via an SSH tunnel:
- Launch Pine by entering the following at a command prompt on the local host:
$ pine
- At the Pine main menu, press the S key to enter the setup screen.
- At the setup screen, press the C key to enter the configuration screen.
- The configuration screen is where we will configure email exchange. Press the down key until you reach the line entitled smtp-server and press Enter . At the prompt enter the following:
localhost:1125
and press Enter . This will tell Pine to use port 1125 on the local host to send email.
- Next, press the down key until you reach the line entitled inbox- path and press Enter . At the prompt, enter the following:
{localhost:1230/pop3/user=pop3_user}inbox
and press Enter . Pop3_user is the name of the POP3 user account from which you will be retrieving email. This will tell Pine to use the local host to check for POP3 email. Note: There is no space between the close curly bracket and inbox .
- Once all of the information above is entered correctly, press the E key to exit the setup screen.
- Press Y when asked to commit changes.
Action 6 1 4 Use Pine to retrieve email using port forwarding
- From the main menu of Pine, press the L key display the list of folders.
- In the list of folders, you will see the folder INBOX . Highlight INBOX and press Enter .
- If you are able to successfully connect and retrieve your email, you will be prompted for the password for the POP3 user for which you are attempting to retrieve email. Enter the password and press Enter . If you have any email, it should download now.
Action 6 1 5 Use Pine to send email using port forwarding
- Press the M key to get back to the Pine main menu.
- Once you are back at the main menu, press the C key to compose a message.
- Enter all the relevant information to send the email, such as the recipient's address and the text of the message. Press Control-X to send the email. When prompted if you wish to send the email, press Y . If you do not receive any errors, the message has been sent through the port forwarding tunnel.