Yes, you have to specify a destination IP and port when using local forwarding. From man ssh
:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side.
Clearly, only the bind address is optional.
No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.
With -L
, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D
, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.
1 - general case
Suppose you have two server in a company network.
From local server "L1" you have access to a remote server "R1" via ssh on port 22.
The server R1 host a web service, but firewall/NAT/whatever block direct access to port 80.
"R1" can't access "L1" directly due to NAT issue.
from L1 you connect using (same user on both host)
ssh -L 10080:localhost:80 -R 10022:localhost:22 R1
now,
-L 10080:localhost:80
local browsing on 10080 will be forward to distant host (R1), localhost (e.g. distant 127.0.0.1) on port 80, thus you could browse distant host (R1), while blocked by firewall/NAT.
-R 10022:localhost:22
remote use of port 10022 will be forwarded to localhost (L1) port 22, you can initiate scp/ssh from remote to localhost. (using scp -P 10022 file localhost:
(note upper -P
) )
This is actually a command line I use from an Ubuntu (14.04) laptop to go to production server (I can firefox to localhost:10080 and use scp from server to localhost:10022 to bring back file )
now your IP are
192.168.1.1 L1
172.17.17.1 R1
you use
ssh -L 10080:172.17.17.3:80 -R 10022:192.168.1.5:22 \
-L 192.168.1.9:8888:172.17.17.9:9999 R1
now
- distant access to port 10022 (any IP) will be forwarded to local 192.168.1.5 ssh/scp.
- local access to port 10080 (any IP) will be forwarded to distant host 172.17.17.3 port 80.
- local access to port 8888 from 192.168.1.9 will be forwarded to port 9999 on 172.17.17.9 (192.168.1.9 is a local address in L1, using alias mecanism, this is not a firewall rule).
those setting can be used on putty/bitwise client
Ask Ubuntu question
what about
-R 8000:localhost:80
this read as
-R
remote
8000
port 8000 (remote port 8000 ... )
localhost
(remote port 8000 goest to localhost .. )
80
( remote port 8000 goes to localhost port 80 )
Best Answer
You should add
-N
to avoid getting a shell on the remote, and-f
to move the process to the background without losing it if you close the shell.