Recipe 6.14 Tunneling Another TCP Session Through SSH

6.14.1 Problem

You want to secure a client/server TCP connection such as POP, IMAP, NNTP (Usenet news), IRC, VNC, etc. Both the client and server must reside on computers that run SSH.

6.14.2 Solution

Tunnel (forward) the TCP connection through SSH. To secure port 119, the NNTP protocol for Usenet news, which you read remotely from

$ ssh -f -N -L12345:localhost:119

While this tunnel is open, read news via local port 12345, e.g.:

$ export NNTPSERVER=localhost
$ tin -r -p 12345

6.14.3 Discussion

Tunneling or port forwarding uses SSH to secure another TCP/IP connection, such as an NNTP or IMAP connection. You first create a tunnel, a secure connection between an SSH client and server. Then you make your TCP/IP applications (client and server) communicate over the tunnel, as in Figure 6-1. SSH makes this process mostly transparent.

Figure 6-1. SSH forwarding or tunneling

The SSH command:

$ ssh -f -N -L12345:localhost:119

establishes a tunnel between localhost and The tunnel has three segments:

  1. The newsreader on your local machine sends data to local port 12345. This occurs entirely on your local machine, not over the network.

  2. The local SSH client reads port 12345, encrypts the data, and sends it through the tunnel to the remote SSH server on

  3. The remote SSH server on decrypts the data and passes it to the news server running on port 119. This runs entirely on, not over the network.

Therefore, when your local news client connects to localhost port 12345:

$ tin -r -p 12345

the connection operates through the tunnel to the remote news server on Data is sent back from the news server to the news client by the same process in reverse.

The general syntax for this forwarding command is:

$ ssh -f -N -Llocal_port_number:localhost:remote_port_number remote_host

local_port_number is arbitrary: select an unused port number higher than 1024. The -N option keeps the tunnel open without the need to run a remote command.

6.14.4 See Also

ssh(1) and sshd(8) discuss port forwarding and its configuration keywords briefly.

The target host of the forwarding need not be localhost, but this topic is beyond the scope of our cookbook. For more depth, try Chapter 9 of SSH, The Secure Shell: The Definitive Guide (O'Reilly).

    Chapter 9. Testing and Monitoring