An SSH tunnel provides an encrypted channel based on the SSH protocol.
The SSH tunnel is a form of tunneling protocol in which TCP traffic originating and meant to certain TCP ports is transferred in packets labeled with completely different port numbers. The actual source and destination ports are transferred in the payload of the packets.
For example, a tunnel between TCP port 1234 on the host
machine and 4321 on the destination
machine can be achieved with:
[me@host]$ ssh -L 1234:localhost:4321 me@destination
Where the localhost
parameter defines the address to which the port will be bound on the host
machine. In other words, traffic destined to localhost:1234
will be transferred over the ssh
connection and given to the destination
machine as if it had arrived at port 4321 on the destination
machine.
An SSH tunnel allows for the transfer of unencrypted traffic over a secure (encrypted channel). All traffic passes through the single TCP connection between an ephemeral port on the host machine and the port 22
(or another port if ssh
is running on a non-standard port). And it is treated as any other SSH traffic, and encrypted with SSL/TLS accordingly.
SSH tunneling is often used to bypass limitations with NATs and firewalls, which may limit the access to certain ports on a destination machine.
A reverse SSH tunnel can be achieved with -R
, for example:
[me@host]$ ssh -R 1234:localhost:4321 me@destination
Will have the effect that traffic directed to localhost:1234
on the destination
machine will be passed to the host
machine as if it had arrived on port 4321 on the host
machine.