SSH Port Forwarding
On Linux systems it is common to use SSH to forward ports between two hosts. This short tutorial will introduce the -L, -R, and -D flags to ssh. Wherever “mo.ece.pdx.edu” is listed, one can also use any other Linux host in MCECS.
If you are attempting to port-forward to a firewalled Linux computer, you will need to make sure that your own computer is connected to one of our VPNs. Popular Linux hosts that are firewalled include:
- auto.ece.pdx.edu, mo.ece.pdx.edu, archive.cecs.pdx.edu
- Computers in the CS Particle Lab (FAB 88-09)
There are many other Linux computers that do not require you to use a VPN.
SSH -L stands for local forwarding. Its syntax is ssh -L port:host:hostport remotehost. This allows you to connect a local port to a remote port over an encrypted ssh tunnel.
To see it in action:
ssh -L 5901:localhost:5901 joeuser@mo.ece.pdx.edu
This command forwards vnc over ssh so that the user can use vnc securely. The user can then connect to it using e.g. vncviewer localhost:1.
SSH -R stands for remote forwarding. Its syntax is ssh -R port:host:hostport remotehost. This allows you to connect a remote port to a local port over an encrypted ssh tunnel.
To see it in action:
ssh -R 5800:localhost:22 joeuser@mo.ece.pdx.edu
This command forwards port 22 from the host machine into port 5800 on mo.ece.pdx.edu (or auto.ece.pdx.edu). This means you can ssh mo.ece.pdx.edu -p 5800 and it will be the same as sshing into the original box.
SSH -D is for dynamic application-level port forwarding. Its syntax is ssh -D port remotehost. It allows you to put up a SOCKS proxy over an encrypted ssh tunnel.
To see it in action:
ssh -D 2100 joeuser@mo.ece.pdx.edu
This command forwards all trafic requested of localhost:2100 through mo.ece.pdx.edu. You can configure Chromium or Firefox to use localhost:2100 as a SOCKS5 proxy and be sure that all your http traffic is being tunneled over ssh.
When to use which one:
SSH -L is good for exposing a remote port locally. SSH -R is good for accessing a box hidden behind a NAT. SSH -D is good for tunneling your web traffic in an environment you don’t completely trust.