There are two pairs of client-server involved in ssh port forwarding: a pair of application (AP) client-server and a pair of ssh client-server. The ssh client-server provides a secure channel for communication between AP client and AP server, and there are many other usages of ssh port forwarding.
Ssh port forwarding can be categorized into local and remote forwarding. In a local forwarding, the AP client sits beside the ssh client (and the AP server sits beside the ssh server). In a remote forwarding, the situation is reversed: the AP client sits beside the ssh server (and the AP server sits beside the ssh client).
Let matt be the ssh client, mark the ssh server, clnt the AP client, and serv the AP server providing its service on port 143.
A local port forwarding can be set up by issuing the following command on host matt:
ssh -L 8080:serv:143 mark
Once the ssh channel is established, clnt is able to access serv by connecting to port number 8080 on host matt as shown in the following figure:
clnt serv
143
| |
| |
8080
matt <=======> mark
The ssh server (mark) should be configured to enable port forwarding, which can be done by setting the option AllowTcpForwarding to yes in its configuration file. Similarly, if clnt is a different host from matt, we need to enable the option GatewayPorts on host matt by issuing the command:
ssh -g -L 8080:serv:143 mark
A remote port forwarding can be set up by issuing the following command on host matt:
ssh -R 8080:serv:143 mark
Once the ssh channel is established, clnt is able to access serv by connecting to port number 8080 on host mark as shown in the following figure:
clnt serv
143
| |
| |
8080
mark <=======> matt
The AllowTcpForwarding and GatewayPorts options should be set properly on host mark.
One question remains: which forwarding to choose?
A quick rule is to look for the client application. If the client is running locally on (or, close to) ssh client machine, use local forwarding. Otherwise, one should choose remote forwarding.
No comments:
Post a Comment