Port forwarding, or tunneling, is a way to forward insecure TCP (not UDP) traffic through SSH. For example, you can secure POP3, IMAP, SMTP, and HTTP connections that would otherwise be insecure. There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively. In SSH Tectia Client it is also possible to configure local port forwarding as dynamic port forwarding, where the destination host and port values will be provided by the application using the ssh tunnel instead of predefined values in the SSH Tectia Client configuration.
Port Forwarding Using The Command Line Client1. Local / Outgoing forwards traffic coming to a local port to a specified remote port. For example, if you issue the command: ssh2 -L 2323:application_server:23 user@ssh_server All traffic which comes to port 2323 on the client will be forwarded securely up to the ssh_server and from there unencrypted to port 23 (telnet) on the application_server. 2. Remote / Incoming port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port. For example if you issue the command: ssh2 -R 23:client_host:2323 user@ssh_server All traffic which comes to port 23 on the server will be forwarded securely to port 2323 on the client. Note that only root/administrator can forward privileged ports.
Dynamic Port Forwarding Using The Command Line ClientIn dynamic port forwarding the SSH Tectia Client mimics a SOCKS server and dynamically forwards the connections securely to the SSH Tectia Server host. The application using the ssh tunnel (for example an email client) will have to support SOCKS4 or SOCKS5 protocol and it has to be able to connect to a firewall (the SSH Tectia Client in this case) on localhost. Dynamic Local / Outgoing forwardings are created as requested by the SOCKS transaction. For example, if you issue the command: ssh2 -L socks/1234 user@ssh_server The SSH Tectia Client requests a listener for port 1234 and will act as a SOCKS server while the connection to the ssh_server is established. When the client application to be tunnelled is configured to use "firewall" on localhost port 1234, the connections will be forwarded securely up to the ssh_server and from there unencrypted to the destination host and port specified in the client application itself.
answered Dec 30 '10 at 15:21
SSH KB ♦