Forwardování TCP portů přes Putty
Port forwarding using SSH allows you to make virtual TCP port which goes through an SSH connection, even to local networks. There are many tutorials on the net, but they seemed to me complicated…so I wrote this quick tutorial using some example cases. For portforwarding you need a SSH client (for example Putty) and SSH server on the server (for example SSHD running on your router).
There are 2 main port forwarding cases:
- Local port forwarding
- Remote port forwarding
Local port forwarding using Putty
When you gonna need this: You have possibility to access some computer in a particular network (it has public IP or port forwarding is enabled on NAT), but you cannot access local computers in that network.
For example: You want to connect from your work to port 80 (webserver) of your home PC with local IP 192.168.1.100. You cannot do this directly, because this IP is hidden in LAN. So you make SSH connection to some device with public IP (e.g. router, server), where SSH server is running and tunnel port from your localhost to 192.168.1.100 port 80.
In the putty on your client computer, you specify hostname of your public IP server.
And then create a record for port forwarding. Port 5050 on your local machine will be forwarded to port 80 at 192.168.1.100 in your home network. Don’t forget to press “Add” button.
Now you can connect to your SSH server using button “Open”. After you successfully login, you can point to address localhost at port 5050 which will be forwarded to 192.168.1.100 at port 80. So in this case, when forwarding webserver port, you may put http://localhost:5050 to your web browser.
Remote port forwarding
When you gonna need this: You are in the local network and you can publish any network’s service to the internet, even if your provider doesn’t have any public IP server nor ssh server.
For example: You are at school and you like FTP server at 192.168.1.100 (port 23). You want to connect to this FTP from your dormitory. You cannot use “local port forwarding”, because school doesn’t have SSH server on public IP or you don’t have access to it. Solution is simple: You forward port 23 to your own ssh server anywhere on the internet.
In the LAN network (where you have access to 192.168.1.100 computer, port 23) you create a SSH connection to hostname of your public accesible SSH server.
In the tunnels settings you specify following. Don’t forget to check “Remote” and “Local ports accept connections from other hosts” (DANGEROUS).
As soon as you establish SSH connection to your public SSH server, anyone from internet can access port 5050 on your SSH server and connect to local computer 192.168.1.100 which was previously protected by NAT. This is ofcourse dangerous, if you don’t know what are you doing.
These connections work as long as the SSH tunel is opened from LAN (school) network.
Better solution - combine remote and local port forwarding
Because remote port forwarding itself can be pretty dangerous - better solution for this can be combination of both.
Steps:
- From your school you create SSH connection to your SSH server (exactly as described in “remote port forwarding” part), but you don’t allow “Local ports accept connections from other hosts” - it means that localhost on SSH server can access this port, but noone from outside network.
- From your dormitory, you create SSH local port forwarding connection to your public SSH server. You forward local port 5051 to 127.0.0.1:5050 (localhost at SSH server).
- Now you can access 192.168.1.100:23 at your school from your dormitory using localhost:5051. So for example: ftp://localhost:5051
Comments, questions
If any questions, please add comment bellow.
