Port forwarding is an advanced topic, and not something I require you to know how to do, so don’t worry about it for this lab. It is such a powerful tool though, I would be disappointed if the more adventurous of you didn’t try it.
Here is an example of how to use Local Port Forwarding, which is the most common type. Note that just because you can do something, it doesn’t mean you should. Seek permission from any administrators before potentially violating policy.
In the lecture on SSH, you were given an example of how you could use local port forwarding to tunnel a clear-text protocol inside an encrypted SSH session. Earlier in the course, we implemented a simple, clear-text file-transfer service called “tinyfs”. Let’s enarmour tinyfs so we can use it over the network. We can use a tool such as tcpdump or wireshark to verify that nothing about tinyfs is being sent in the clear over the network.
Start the tunnel
ssh -fNL 9000:localhost:900 server1.localdomainBanner removed. See what’s listening
lsof -PniDon’t need root privs here. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME An established connection to the SSH service on Server1 ssh 2481 mal 3u IPv6 16213 0t0 TCP ↩ [fd6b:4104:35ce:0:a00:27ff:fe99:c27d]:36218->[fd6b:4104:35ce::1]:22 (ESTABLISHED) And IPv4 and IPv6 listening ports on loopback TCP/9000 ssh 2481 mal 4u IPv6 16285 0t0 TCP [::1]:9000 (LISTEN) ssh 2481 mal 5u IPv4 16286 0t0 TCP 127.0.0.1:9000 (LISTEN) Start up wireshark, starting a capture immediately Don’t forget to dismiss the warning window about running as root.
sudo -b wireshark -i eth0 -kConnect to our forwarded port
echo -en '/etc/hostname\r\n' | nc -q-1 ::1 9000OK Success, output from the server server1 When you’re done, tear down the tunnel
ps -eo pid,command | grep ssh825 /usr/sbin/sshd 1256 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session gnome-session 2481 ssh -fNL 9000:localhost:900 server1.localdomain Note 2601 grep --color=auto ssh
Have a look in Wireshark. Did you see any TCP/900 traffic? What if you right-click on one of the SSH packets and select? You should see that nothing is sent in the clear over the Ethernet, and the SSH traffic is unintelligable because it is encrypted.
Repeat the experiment, but this time start the capture on the “lo” loopback interface. What do you find now? Should you be worried?
You may be wondering what the significance of the port numbers 9000 and 900 is. There is nothing really significant here, except that port 900 is the TCP port that our tinyfs service uses, and that port 9000 is above 1024 and so doesn’t need root privileges to accept connections. Otherwise, there is no limitation, so long as the port is not already used. The two port numbers could even be the same, but usually we end up using a high-numbered port for the local side.