6.14. Tunneling Another TCP Session Through SSH
Problem
You want to secure a client/server TCP connection such as POP, IMAP, NNTP (Usenet news), IRC, VNC, etc. Both the client and server must reside on computers that run SSH.
Solution
Tunnel (forward) the TCP connection through SSH. To secure port 119, the NNTP protocol for Usenet news, which you read remotely from news.example.com:
$ ssh -f -N -L12345:localhost:119 news.example.com
While this tunnel is open, read news via local port 12345, e.g.:
$ export NNTPSERVER=localhost $ tin -r -p 12345
Discussion
Tunneling or port forwarding uses SSH to secure another TCP/IP connection, such as an NNTP or IMAP connection. You first create a tunnel, a secure connection between an SSH client and server. Then you make your TCP/IP applications (client and server) communicate over the tunnel, as in Figure 6-1. SSH makes this process mostly transparent.
Figure 6-1. SSH forwarding or tunneling
The SSH command:
$ ssh -f -N -L12345:localhost:119 news.example.com
establishes a tunnel between localhost and news.example.com. The tunnel has three segments:
The newsreader on your local machine sends data to local port 12345. This occurs entirely on your local machine, not over the network.
The local SSH client reads port 12345, encrypts the data, and sends it through the tunnel to the remote SSH server on news.example.com.
The remote SSH server on news.example.com ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
