version 1.401, 2019/03/05 16:17:12 |
version 1.402, 2019/03/16 19:14:21 |
|
|
when errors are being written to stderr. |
when errors are being written to stderr. |
.El |
.El |
.Sh TCP FORWARDING |
.Sh TCP FORWARDING |
Forwarding of arbitrary TCP connections over the secure channel can |
Forwarding of arbitrary TCP connections over a secure channel |
be specified either on the command line or in a configuration file. |
can be specified either on the command line or in a configuration file. |
One possible application of TCP forwarding is a secure connection to a |
One possible application of TCP forwarding is a secure connection to a |
mail server; another is going through firewalls. |
mail server; another is going through firewalls. |
.Pp |
.Pp |
In the example below, we look at encrypting communication between |
In the example below, we look at encrypting communication for an IRC client, |
an IRC client and server, even though the IRC server does not directly |
even though the IRC server it connects to does not directly |
support encrypted communications. |
support encrypted communication. |
This works as follows: |
This works as follows: |
the user connects to the remote host using |
the user connects to the remote host using |
.Nm , |
.Nm , |
specifying a port to be used to forward connections |
specifying the ports to be used to forward the connection. |
to the remote server. |
After that it is possible to start the program locally, |
After that it is possible to start the service which is to be encrypted |
|
on the client machine, |
|
connecting to the same local port, |
|
and |
and |
.Nm |
.Nm |
will encrypt and forward the connection. |
will encrypt and forward the connection to the remote server. |
.Pp |
.Pp |
The following example tunnels an IRC session from client machine |
The following example tunnels an IRC session from the client |
.Dq 127.0.0.1 |
to an IRC server at |
(localhost) |
|
to remote server |
|
.Dq server.example.com : |
|
.Bd -literal -offset 4n |
|
$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10 |
|
$ irc -c '#users' -p 1234 pinky 127.0.0.1 |
|
.Ed |
|
.Pp |
|
This tunnels a connection to IRC server |
|
.Dq server.example.com , |
.Dq server.example.com , |
joining channel |
joining channel |
.Dq #users , |
.Dq #users , |
nickname |
nickname |
.Dq pinky , |
.Dq pinky , |
using port 1234. |
using the standard IRC port, 6667: |
It doesn't matter which port is used, |
.Bd -literal -offset 4n |
as long as it's greater than 1023 |
$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10 |
(remember, only root can open sockets on privileged ports) |
$ irc -c '#users' pinky IRC/127.0.0.1 |
and doesn't conflict with any ports already in use. |
.Ed |
The connection is forwarded to port 6667 on the remote server, |
|
since that's the standard port for IRC services. |
|
.Pp |
.Pp |
The |
The |
.Fl f |
.Fl f |
|
|
.Dq sleep 10 |
.Dq sleep 10 |
is specified to allow an amount of time |
is specified to allow an amount of time |
(10 seconds, in the example) |
(10 seconds, in the example) |
to start the service which is to be tunnelled. |
to start the program which is going to use the tunnel. |
If no connections are made within the time specified, |
If no connections are made within the time specified, |
.Nm |
.Nm |
will exit. |
will exit. |