SSH Tunneling And Reverse SSH Tunnel
2013-04-22 15:57:01 阿炯

SSH Port Forwarding

ssh -L localport:host:hostport user@ssh_server -N

-L - port forwarding parameters (see below)
localport - local port (chose a port that is not in use by other service)

host - server that has the port (hostport) that you want to forward

hostport - remote port

-N - do not execute a remote command, (you will not have the shell, see below)

user - user that have ssh access to the ssh server (computer)

ssh_server - the ssh server that will be used for forwarding/tunneling

Without the -N option you will have not only the forwardig port but also the remote shell. Try with and without it to see the difference. 

1. Privileged ports (localport lower then 1024) can only be forwarded by root. 

2. In the ssh line you can use multiple -L like in the example... 

3. Of course, you must have ssh user access on secure_computer and moreover the secure computer must have access to host:hostport

4. Some ssh servers do not allow port forwarding (tunneling). See the sshd man pages for more about port forwarding (the AllowTcpForwarding keyword is set to NO in sshd_config file, by default is set to YES)... 

ssh -L user@computer -N 
ssh -L -L user@computer -N

The second example (see above) show you how to setup your ssh tunnel for web, pop3and smtp. It is useful to recive/send your e-mails when you don't have direct access to the mail server. 
For the ASCII art and lynx browser fans here is illustrated the first example: 
+----------+<--port 22-->+----------+<--port 80-->o-----------+ 
|SSH Client|-------------|ssh_server|-------------|   host    | 
+----------+             +----------+             o-----------+ 
localhost:8888              computer 

...And finally: 
Open your browser and go to http://localhost:8888 to see if your tunnel is working. 

The SSH man pages say: 

-L port:host:hostport 
 Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.  This  works by allocating a socket to listen to port on the local side,  and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.  Port forwardings can also be specified in the configuration file.  Only root can forward privileged ports.  IPv6 addresses can be specified with an alternative syntax: port/host/hostport 

-N Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2 only). 

关于'Tunneling protocol'
Secure shell tunneling

A secure shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.

Reverse ssh tunnel

To set up an SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not have the same port number as the remote port.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services — so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create a SSH tunnel to forward a given port on their local machine to port 80 on a remote web-server. To access the remote web-server, users would point their browser to the local port at http://localhost/.

Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating a SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application doesn't support SOCKS, one can use a "socksifier" to redirect the application to the local SOCKS proxy server. Some "socksifiers" support SSH directly, thus avoiding the need for a SSH client.


关于ssh 重连机制


su comuser -c 'autossh -N -f -M 29001 -R 8081:localhost:80 remote_host' &

1、使用'autossh'工具来maintaining the tunnel

The following will create a port forwarding ssh tunnel between localhost and

When connecting to, the request will be sent to localhost:80. This is good for making a webpage behind a corporate firewall viewable to the outside world.

autossh -M29001 -f -R 8081:localhost:80
            |     |  |   |      |      |          `---The box we are connecting to.  Must be running sshd.
            |     |  |   |      |      |
            |     |  |   |      |      `--------------The port on localhost we want to access from
            |     |  |   |      |
            |     |  |   |      `---------------------The host where the forward will go, relative 
            |     |  |   |                            to the box initiating the tunnel; i.e., localhost
            |     |  |   |                            means the box where this command is run.
            |     |  |   |
            |     |  |   `----------------------------This is the port listens 
            |     |  |                                on to forward through the tunnel
            |     |  | 
            |     |  `--------------------------------Tells ssh to forward from the remote
            |     |                                   host to the local host
            |     |
            |     `-----------------------------------Causes autossh to drop into the background before execution
            `-----------------------------------------Use this monitoring port (must be above 1024 and not currently in use)

You may need to add a -N to the ssh options. You may also want to add -q.
autossh -M 29001 -q -f -N -R 8081:localhost:80

Without them, the -f option complains that it needs a command to fork and will just quit. -N says no command and -q says be quiet. Also if you would like to have a special key with no passphrase you can generate one and then use it via the -i option for ssh.


2、Using OpenSSH's built in connection monitoring

The newer versions of OpenSSH have their own method of checking if the connection is still alive. You can enable this by setting the ServerAliveInterval and ServerAliveCountMax options (either in your ssh_config file or on the command line). For example:
autossh -M 0 -q -f -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -R 8081:localhost:80

The above command will make ssh send a keep-alive request if no other data has been sent for 60 seconds, if it doesn't receive a reply after 3 attempts it will close the connection. autossh will then detect its been closed and attempt re-establish it.

The "-M 0" option disables autossh's own monitoring which uses separate ports and is less reliable.
Note: this only works with SSH protocol version 2, which is usually enabled by default anyway (because version 1 has security flaws

ssh还可以建立主机之间的网络隧道,尤其是可以提供SOCKS代理(ssh -D)。但用ssh命令建立的隧道可能会受网络的影响而中断,不能为用户提供持续的服务。