Practical Security: Creating SSH Tunnels: Page 2

(Page 2 of 2)

Before running this command, I ran this netstat command to see if anything on my laptop "dink" was listening on port 8143:

dink:~ jmjones$ netstat -an | grep 8143
dink:~ jmjones$

Nothing was listening. After creating the tunnel, I re-ran the same netstat command and saw different results:

dink:~ jmjones$ netstat -an | grep 8143
tcp4       0      0         *.*                    LISTEN
tcp6       0      0  ::1.8143

As you can see from the second netstat comand, something (my ssh client) is listening on port 8143 on (the local loopback network device) on my laptop "dink." Any connection made to on "dink" will be forwarded to port localhost:143 on "ezr." After creating the tunnel, I just need to configure an account on my laptop's email client to look for an imap server at localhost:8143 and it will begin reading mail on "ezr."

Given the same machines, "ezr" and "dink," let's assume this time that I want the server "ezr" to use fetchmail and pull mail messages off of my ISP's pop3 server. The problem is that my ISP only allows machines that are connected to their network to access their pop3 servers. Since my laptop, "dink," is connected directly to my ISP and the server, "dink," is not, I could create a tunnel like this:

dink:~ jmjones$ ssh -R 8110:mail.myisp.com:110 ezr

The "-R" in the command specifies that this will be a reverse forward. The "8110" in the command specifies that the remote server will bind and listen on port 8110 as the source of the tunnel. The "mail.myisp.com:110" specifies where my laptop will forward any traffic that it receives from the tunnel. And "ezr" is the machine to ssh into.

Before running this ssh command from my laptop, I ran a netstat command on the server, "ezr," to show that nothing was listening on port 8110:

jmjones@ezr:~$ netstat -an | grep 8110

Nothing was listening. After running the ssh command on my laptop "dink," I ran the same netstat command on the server, "ezr":

jmjones@ezr:~$ netstat -an | grep 8110
tcp        0      0*               LISTEN
tcp6       0      0 ::1:8110                :::*                    LISTEN

After the tunnel is created, fetchmail can run on "ezr," pop messages off of localhost:8110, and the request will be forwarded to my ISP. Of course, the tunnel will only be active while the laptop has a connection to both the server "ezr" and the ISP's mail server.


Tunneling with ssh is an easy way to create secure data transmissions. It is also a convenient way of connecting two networks that aren't directly connected. It can become an irreplaceable tool once you figure out ways you can use it.

This article was first published on EnterpriseITPlanet.com.

Page 2 of 2

Previous Page
1 2

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.