*bump* (added a new section about getting to other machines on the remote network via port forwarding) - Originally posted on Jan 11, 2010 @ 7:08:50 PM.
This blog post is primarily for my own reference, to avoid having to dig through the manual to look up the occasional edge case.
How to use SSH to do port forwarding. These assume you're on a Unix-like system (Linux or OS X) and not using some lame Windows client like PuTTy.
ssh -R 9022:localhost:22 remotehost.comThis will open port
9022on remotehost.com (loopback only; you can only connect to 9022 from the local remotehost.com, not from elsewhere on the internet), and forward it to "
localhost:22", where "localhost" refers to your computer at the office, and 22 is of course the SSH port.
By default the remote host only would make port 9022 available on the loopback address, so from your home PC you can do
ssh -p 9022 localhost and connect to it, but you can't do e.g.
ssh -p 9022 remotehost.com and connect to it from somewhere else on the Internet.
To open the port on all interfaces (thus making it available on the internet too):
ssh -R *:9022:localhost:22 remotehost.comReplace the
*with any other bind address if you want.
ssh -L 8080:localhost:80 remotehost.comHere,
8080is opened on your office computer, for the loopback interface only, and
localhost:80refers to port 80 on the remote (home) computer. It's the reverse of
Then you open Firefox and go to
http://localhost:8080/ and yer in.
Another example: you have a VNC (remote desktop) server running on remotehost.com, but the VNC protocol itself is insecure, and you don't want your password being sent across the network in clear text to log in. So, you need your VNC traffic to be encrypted via SSH.
Here, remotehost.com is listening on port
5900 (the VNC port). You want to open a port on your local computer to the same number, so that you connect a VNC client to "localhost:5900" and it really connects you to "remotehost.com:5900" over a secure SSH tunnel:
ssh -L 5900:localhost:5900 remotehost.comThen with your VNC client, just connect it to "localhost".
ssh -L 5900:10.10.1.101:5900 remotehost.comHere "remotehost.com" goes to the main PC which I can access.
This opens up a listening port 5900 on my local (office PC) -- the first 5900 in the command -- and if I connect to it, it will use remotehost.com as a jumping off point to connect onward to 10.10.1.101:5900 (the laptop with a private LAN IP address on the remote network).
Then I point my VNC client at "localhost" and I end up with remote desktop on the laptop.
ssh -D 8080 remotehost.comNow you can configure your programs (e.g. Pidgin, Firefox) to use a SOCKS 5 proxy and have them connect to
localhost:8080. All their internet traffic will be routed through the SSH tunnel to remotehost.com, secured, and then enter the cloud from there.
Additionally, this can be used to reach other devices on the remote server's LAN that you otherwise couldn't get to. For example, turn on your proxy settings in Firefox and you can navigate to http://192.168.1.1/ to log into the router from the remote LAN (as opposed to a router on your local LAN). The SOCKS 5 proxy would cause Firefox (or any other app configured to use it) to use "remotehost.com" as a jumping off point into the internet, so it can connect to other local network devices on its end just the same.