Walker News

How To Setup SSH Port Forwarding In 3 Minutes

Yes, this is another attempt of writing 3-minutes Linux guide. This round, it’s about how to setup or configure SSH Local Port Forwarding in 3 minutes (or maybe less)!

Why using SSH port forwarding? In brief, SSH port forwarding easily provides a secured tunnel for those insecure or unencrypted TCP connections, such as rcp, POP3, VNC, etc.
SSH Port Forwarding Configuration
Visualize SSH Port Forwarding that encrypting insecure TCP connection with SSH tunnel, i.e. via SSH protocol!
Visualize SSH Port Forwarding that encrypting insecure TCP connection with SSH tunnel, i.e. via SSH protocol!

Suppose that Walker-A (172.101.20.20) and Walker-B (172.101.20.21) are both running on Red Hat Enterprise Linux in the office data centre. Walker-C (192.168.72.72) is a desktop PC running on Windows Vista Ultimate with Putty SSH client (Windows Vista compatible networking freeware).

Let’s say Walker-A is running Real VNC server that listening to its local port 5907. As you probably know that the default Real VNC connection is not secured or encrypted, i.e. login ID and password for VNC server authentication can be easily trapped or cracked by network sniffers.

So, the SSH Local Port Forwarding is setup to secure this unencrypted VNC connection from Walker-B (Linux) or Walker-C (Vista) to Walker-A.

How to setup SSH Local Port Forwarding in Linux (Walker-B)

At the Walker-B Linux box, find a local TCP port that’s not currently open or in used, by executing either netstat or nc command:

nc localhost 747
netstat -tulpan | grep 747

If there is no output of these commands, then the specified local TCP port (in this case, it’s 747) is free for SSH Local Port Forwarding.

Next, execute this command to setup SSH Local Port Forwarding

ssh -L 747:172.101.20.20:5907 root@172.101.20.20
(if the DNS or /etc/hosts is able to resolve IP-Hostname)
ssh -L 747:Walker-A:5907 root@Walker-A
How to read this SSH Local Port Forwarding command syntax?

ssh -L LocalPort:ServiceHost:ServicePort SSHID@SSHHost

Where:
  • LocalPort is a local TCP port
  • ServiceHost is a remote host that provide the target service, such as email, VNC, etc
  • ServicePort is a listening port of the target service at ServiceHost, i.e. 110 for POP3 email
  • SSHID is a SSH login ID to the SSH server that can be connected to establish a secure / encrypted SSH tunnel
  • SSHHost is the remote host that running the SSH server

Literally, that SSH command says the Walker-B SSH client will login to Walker-A SSH server with root user ID (any valid user ID will do, not necessary using root) and binding the Walker-B local port 747 to establish a secure / encrypted tunnel over SSH protocol. Then, the Walker-A SSH server will extend the encrypted tunnel to communicate with Walker-A VNC server over an insecure or unencrypted TCP connection.

Why extend to an insecure connection again?

As shown in the diagram above, there are insecure connections happen in both client and server side. But the security impact is minimal as they are exist inside the host and client machine (a trusted environment) while the TCP communication over the network (high risk) is encrypted via the SSH Tunnel!

Login to the SSH server as prompted and leave the SSH session remains open, so as to establish the secure SSH Tunnel!

Now, it’s ready to login Walker-A VNC server with the secure SSH Tunnel. At Walker-B, execute

vncviewer 127.0.0.1:747
(or with hostname resolution)
vncviewer localhost:747

As you can see that, instead of directly connecting to Walker-A VNC server (i.e. executing vncviewer Walker-A:5907), the vncviewer is connecting to the local listening port 747 and communicate with VNC server over a secure SSH Tunnel via SSH Local Port Forwarding technique!

So, is the picture turns clearer now, or an illustration (above) is better than thousand of words?

How to setup SSH Local Port Forwarding in Windows Vista (Walker-C) using Putty SSH client?
Putty SSH client is a powerful Windows networking freeware. Other than the secure remote login protocol (i.e. SSH protocol), Putty also supports those legacy, non-secure remote login protocol such as telnet and rlogin. Putty also supports connection via proxy server.

Besides that, there are at least two attractive features (to me) worth to mention, namely “copy and paste” command output / text and supports flexible screen width to easily reading command output.

And of course, Putty is a great networking freeware that’s compatible with Windows Vista!

How to setup SSH Local Port Forwarding in Windows Vista with Putty SSH client?
  1. On the Putty Configuration dialog box, click the Session menu on the Category panel (left)
     
  2. Specify the hostname or IP Address (in this case, Walker-A or 172.101.20.20) and select SSH protocol (the port number 22 for SSH protocol will then automatically filled)
     
  3. Click the Connection menu follow by SSH menu (locate them in Category menu tree also)
     
  4. Click on the Tunnels menu to configure the SSH Local Port forwarding setting. In this case, fill up the Source Port with 747 and Destination with Walker-A:5907 or 172.101.20.20:5907 (the highlighted box)
     
  5. Click the ADD button to add the setting to Forwarded Ports text-box, such as the blue text that appears as “L747   Walker-A:5907″
     
  6. Click OPEN button and login to the Walker-A SSH server
     
  7. As usual, keep the SSH login session remains open and active, so as to establish the secure SSH Tunnel
     
  8. Now, open up Windows VNC Viewer program and specific the VNC Server connection string as localhost:747 or 127.0.0.1:747.

Custom Search

  1. SSH Remote Port Forwarding In 3 Minutes – Walker News 22-07-07@14:57

    [...] just wrote about How to setup SSH Port Forwarding in Linux with OpenSSH client and in Windows Vista with Putty networking freeware. Visualize SSH [...]

  2. SSH Port Forwarding – Local VS Remote – Walker News 22-07-07@21:00

    [...] was asked about the difference of SSH Local Port Forwarding and SSH Remote Port Forwarding. Visualize SSH Port Forwarding that encrypting insecure TCP [...]

  3. Walker 27-07-07@22:15

    Minor correction:

    Windows VNC Viewer connection string is a bit different when specifying the connecting port number.

    Instead of localhost:747

    The connection string SHOULD BE

    localhsot::747

    Spot the difference?

  4. Setup Remote Desktop Port Forwarding In Windows Vista – Walker News 30-07-07@01:19

    [...] Tunnel is possible to encrypt most insecure TCP connections with the SSH port forwarding technique. Other than security feature of SSH Tunnel, network administrators can also simplify [...]

  5. How To Install And Start Telnet Server In Red Hat Linux? – Walker News 19-11-08@01:26

    [...] by default, most Linux distributions install SSH server and not telnet. Red Hat Linux even explicitly categorize telnet server as one of the “legacy [...]

  6. Ander 24-07-10@14:16

    Good, in windows, you also can use ssh tunnel easy(http://www.networktunnel.net), can build a ssh tunne in one minute.

  7. Casper 06-12-10@20:06

    if on my unix server is another port not 22, how to forward from this port?

2014  •  Privacy Policy