Programming Languages, Martials Arts and Computers. The Weblog of Chris Double.
SSH provides the ability to tunnel network connections over the encrypted SSH session. This is useful for encrypting what would otherwise be plain text communications or working around restrictive firewalls by tunnelling over an allowed port.
The format of the SSH command to tunnel is:
ssh username@example.com -L <local-port>:<remote-host>:<remote-port> -N
local-port is the port you want to expose on the client machine. This is the port that client programs will connect too. remote-host and remote-port are the destination host and port that you are tunnelling too.
By connecting to localhost:local-port the data is tunneled to remote-host:remote-port via the server 'example.com'. 'example.com' will need to be able to access remote-host and remote-port. Often remote-host is the same as the SSH server, example.com.
The remote-host name or IP is resolved from the point of view of example.com so using 127.0.0.1 or localhost as remote-host will actually be 'example.com'.
As an example, if you have a webserver running on 'example.com' that is bound to the localhost interface only then external applications can't connect to it. You can however via a tunnel:
ssh user@example.com -L 8080:127.0.0.1:80 -N
Connecting to port '8080' on the client will connect to the port 80 webserver on 127.0.0.1 as seen by example.com - in this case example.com itself.