SSH port forwarding howto article 2, which is reprinted

From: http://manas.tungare.name/blog/ssh-port-forwarding-on-mac-os-x/

After spending about an hour processing ing what shoshould, in theory, be a simple matter, I figured I 'd write a blog post that might one day save another soul an hour or so from his or her life. so, for good karma, basically. in the past, I have set up port forwarding on Linux, Mac OS X and windows, so I was a little worried that it took me about an hour trying to appease the SSH deities (and daemons ).

The command itself is just a single line; the dedevil is in the parameters. i'm splitting the command over several lines and adding line numbers to restrict strate the details and separate the parts of the long-ish command for easier explanation. feel free to type it all on a single line (after removing the line numbers and the line-break markers ("\") Of course !)

1. ssh \ 2. -L local_port:service_host:service_port \ 3. -p ssh_server_port \ 4. -l ssh_server_username \ 5. -N \ 6. ssh_server_host 

Parameters

Now for the varous parameters used in the command above. some of them may be omitted if the defaults are used, but I have attached ded all of them in the example abve to cover the most general case.

local_port

The port on your local machine that your local Program expects to be able to connect. if this is one of the reserved ports (I. E ., under 1023), you will have to run your SSH tunnel command as root (using SUDO ). ports above 1024 are freely available for any user to listen on.

service_host

The fully-qualified domain name or the IP address of the server that is hosting the service that you wish to connect. for example, if this is a web site, it cocould be Google.com or Yahoo.com. it does not have to be under your control, nor does it have to be the machine that you're sshing. it is just any host on the Internet that you can access fromssh_server_host. Often this is a server you are not allowed to access from your own machine, e.g. A chat server or IRC server. or you may wish to hide the fact from the Administrator of your local network that you are connecting to this server (e.g. when you're out at a coffee shop on a sniffable insecure wireless network, or in a country with laws forbidding access to free information .)

Important:If you're trying to access a service running on the same machinessh_server_host, Remember to use 127.0.0.1, not localhost. What's the difference, you say? Well, since IPv6 is here to stay, localhost can map to either 127.0.0.1 (IPv4) or: 1/128 (IPv6 ). if your applications aren't all IPv6-compliant, this can cause some headache. hopefully, we will all be on IPv6 in the near future, but till then, this is a way to make things work. if you're trying to use IPv6, you need to uselocal_port/service_host/service_port(Slashes instead of colons .)

service_port

The port number on which the desired service is running. Here are some common port numbers:

Service	Port
Web: HTTP	80
Web over SSL: https	443
Outgoing email: SMTP	25
Incoming Email: POP3	110
Incoming Email: IMAP	143
VNC	5900
ITunes music sharing	3689

 

ssh_server_host

The machine that you're sshing into. This is the one that is running sshd, the SSH daemon.

ssh_server_port

The port number on which the SSH daemon is listening onssh_server_host. This is most likely 22; you shoshould only use a different value if your SysAdmin has told you that the SSH server is running on another port (or if you're a SysAdmin yourself and you set up your SSH server to run on a non-standard port for security through obscurity .)

ssh_server_username

The username you wocould use to connectssh_server_hostIn a regular SSH session. This may or may not be the same as the username you currently use on your local machine.

The entire command, line by line

1. Line 1 simply callthe SSH program;
2. Line 2 sets up the port forwarding.-LParameter specifies that this is a remote-to-Local tunnel. If you want to create a local-to-remote tunnel, you 'd have used-RInstead-L. The next three parameters are from our list above, separated by colons. (use slashes instead of colons for example 6.) If you want to set up multiple tunnels from the same host, simply repeat line 2 as frequently times as you 'd like, once for each setlocal_port:service_host:service_port.
3. Line 3 selects a port onssh_server_hostTo connect to. omit this line if you're re connecting to the default port 22.
4. Line 4 specifies the username to use onssh_server_host. It is also possible to usessh_server_username@ssh_server_hostSyntax instead of-lParameter.
5. Line 5 indicates to SSH that no commands be run on the remote system. Since you're using this SSH connection simply for tunneling, this is a useful option to set.
6. Line 6 contains the most basic parameter of this entire process. Please don't get this wrong.

Common Errors and Solutions

Problem	Solution
Error message:Channel 3: Open failed: connect failed: Connection refused	Change localhost to 127.0.0.1 In the SSH-LParameter.
Cannot listen on port X on local machine because of network protocols ies.	Try to use another port locally. ports such as 3306 (MySQL) may have been left open. These are good to use for SSH tunneling If you aren't already running MySQL.
Error message:Privileged Ports can only be forwarded by root.	Use a port above 1024, or try to set up the SSH tunnel as root.
Error message: BIND: address already in use Channel_setup_fwd_listener: cannot listen to port: xxxx Cocould not request local forwarding.	Some local server process is already listening on the local port you're trying to forward. pick a different local port and configure your program to connect to th at port instead. if your program cannot be configured to listen to a different port, try to find what server process is occupying that port (netstat -aOn Linux orlsof -i -POn Mac OS X) and stop it. Retry setting up the tunnel.
I want other hosts on my network to be able to use the tunnel I established. (by default, only local clients can connect to SSH tunnels established this way .)	Use-gOption when setting up the tunnel. Realize that this is insecure, but it may make sense in certain scenarios.
I don't know what local port is available for me to use.	Linux:netstat -a | grep LISTEN Mac OS X:lsof -i -P | grep LISTEN Will show you the ports that are in use. generally, you can pick any that's not already taken. to make sure you're not breaking some other unknown protocol, check the IANA well-known port numbers list and pick one that's not taken.

If you 've not been able to debug this so far, try passing-vParameter to SSH to see verbose output. Add another-vFor more verbose output.

If you're re reading this, and come into SS any specific source of trouble, please let me know so I can add it to this mini howto.