OpenSSH - with TCP port forwarding

OpenSSH provides TCP port forwarding, also known as tunnelling, which allows other TCP applications to forward their network data over a secure SSH connection. In other words, existing TCP applications that do not encrypt their data before sending it across the network can send their network traffic through an SSH channel, thereby securing it.

Without TCP forwarding, an application's client connections directly to its server across the network, as shown in Figure 1. To use port forwarding, an existing SSH session must exist.

Example: An example of invoking the ssh client to support local port forwarding is: 
 ssh -L 2001:remotehost:27 billy@remotehost

Result: The ssh client on Host A listens on port 2001 for connections (see Figure 1). The TCP application will now connect to port 2001 on the local host (Host A), rather than connect to its well-known port on Host B, where the remote server is listening. This is demonstrated in Figure 2. The ssh client accepts the connection on port 2001 and forwards the application's data to the OpenSSH server (sshd) on Host B. sshd then forwards the data to the application's well-known port on Host B, as specified on invocation of the ssh client to be port 27. This is demonstrated in Figure 3.

Figure 1. The ssh client is listening on port 2001 for a connection
The ssh client is listening on port 2001 for a connection.

The TCP application wants to contact the server through a SSH connection.

Figure 2. The application is connecting to port 2001 on the local host (Host A)
The application is connecting to port 2001 on the local host (Host A).

ssh forwards the data through an SSH tunnel; sshd delivers to server.

Figure 3. The ssh client accepts the connection on port 2001, forwards the application's data to sshd on Host B, sshd then forwards the data to the application's server, listening on Port 27
ssh forwards the data through an SSH tunnel.

 

Parent topic: OpenSSH - port forwarding examples