1

(1) For remote forwarding:

-R [bind_address:]port:host:hostport
         Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.  This works by
         allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the
         secure channel, and a connection is made to host port hostport from the local machine.

         Port forwardings can also be specified in the configuration file.  Privileged ports can be forwarded only when logging in as root on the
         remote machine.  IPv6 addresses can be specified by enclosing the address in square brackets.

         By default, the listening socket on the server will be bound to the loopback interface only.  This may be overridden by specifying a
         bind_address.  An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces.  Specifying a
         remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

         If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time.  When used
         together with -O forward the allocated port will be printed to the standard output.

hostport specifies a connection endpoint for the destination process running on the destination host.

Is port a connection endpoint

  • in the SSH server process, or
  • in a process which runs on the same source host as the SSH server and wants to use the SSH tunneling by attaching itself to port?

(My guess is the latter)

(2) For local forwarding:

 -L [bind_address:]port:host:hostport
         Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.  This works by
         allocating a socket to listen to port on the local side, optionally bound to the specified bind_address.  Whenever a connection is made to
         this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine.  Port
         forwardings can also be specified in the configuration file.  IPv6 addresses can be specified by enclosing the address in square brackets.
         Only the superuser can forward privileged ports.  By default, the local port is bound in accordance with the GatewayPorts setting.  However,
         an explicit bind_address may be used to bind the connection to a specific address.  The bind_address of “localhost” indicates that the listen‐
         ing port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

hostport specifies a connection endpoint for the destination process running on the destination host.

Is port a connection endpoint

  • in the SSH client process or
  • in a process which runs on the same source host as the SSH client and wants to use the SSH tunnel by attaching itself to port?

(My guess is the latter)

(3) For SOCKS proxy:

 -D [bind_address:]port
         Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket to listen to port on the local side, option‐
         ally bound to the specified bind_address.  Whenever a connection is made to this port, the connection is forwarded over the secure channel,
         and the application protocol is then used to determine where to connect to from the remote machine.  Currently the SOCKS4 and SOCKS5 protocols
         are supported, and ssh will act as a SOCKS server.  Only root can forward privileged ports.  Dynamic port forwardings can also be specified in
         the configuration file.

         IPv6 addresses can be specified by enclosing the address in square brackets.  Only the superuser can forward privileged ports.  By default,
         the local port is bound in accordance with the GatewayPorts setting.  However, an explicit bind_address may be used to bind the connection to
         a specific address.  The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or
         ‘*’ indicates that the port should be available from all interfaces.

Is port a connection endpoint

  • in the SSH client process,
  • in the SSH SOCKS server, or
  • in a process which runs on the same host as the SSH client and wants to use the SOCKS server by connecting to port?

(My guess is the second. I guess it is not the first because the SSH client has its own default port(s). I am not sure about the third)

Tim
  • 101,790

1 Answers1

1

These sketches should help you answer all the questions: https://unix.stackexchange.com/a/118650/121504

But to answer your questions explicitly:

  1. For remote forwarding:

    port is a connection endpoint in the SSH server.

  2. For local forwarding:

    port is a connection endpoint in the SSH client process

  3. For SOCKS proxy:

    port is a connection endpoint in the SSH client process

But much more visual explanation is really the sketches linked above. But to sum it up:

The first port (for SOCK proxy the only one) is always the free port you are going to connect using the next step. The other port is the port where is running your existing service.

Edit:

The easier thing to find out, if I understand what is really the question is to use lsof. Your port is in my examples 12345:

For remote forwarding :

[local ] $ ssh -R 12345:localhost:22 remote
[remote] $ lsof -P | grep 12345
sshd 27772 root  7u IPv6 1304283702 0t0 TCP localhost:12345 (LISTEN)
sshd 27772 root  8u IPv4 1304283703 0t0 TCP localhost.localdomain:12345 (LISTEN)

For local forwarding:

[local] $ ssh -L 12345:localhost:22 remote
[local] $ lsof -p $(pidof ssh) -P | grep 12345
ssh  6779 jakuje    4u  IPv6 146565      0t0     TCP ip6-localhost:12345 (LISTEN)
ssh  6779 jakuje    5u  IPv4 146566      0t0     TCP localhost:12345 (LISTEN)

For dynamic port forwarding:

[local] $ ssh -D 12345 root@dta3.com
[local] $ lsof -p $(pidof ssh) -P | grep 12345
ssh     11388 jakuje    4u  IPv6 173537    0t0   TCP ip6-localhost:12345 (LISTEN)
ssh     11388 jakuje    5u  IPv4 173538    0t0   TCP localhost:12345 (LISTEN)
Community
  • 1
Jakuje
  • 21,357
  • thanks. Shouldn't the answers to remote and local forwardings be symmetric? – Tim Oct 15 '15 at 17:06
  • The sketch in the link doesn't show which process port belongs to. It only draws port on either the host of SSH client or server. – Tim Oct 15 '15 at 17:19
  • If you want to tunnel the protocol securely, it must be bound to local interface. Whenever you choose different host or bind bind/connect to the other side directly, you don't use that secure channel. – Jakuje Oct 15 '15 at 17:39
  • Thanks. my comment wasn't clear. I am asking why you said port belongs to the process attaching to the SSH remote in remote forwarding, and to the SSH client in local forwarding? My guess is that in both remote and local forwardings, either port belongs to the socket of the process attached to SSH server/client, or belongs to the socket of SSH Server/Client. – Tim Oct 20 '15 at 16:38
  • See my edit. I added the proof using lsof to see whose is this port on which side. I hope it will help you. – Jakuje Oct 20 '15 at 17:14
  • Thanks. Could you explain the output of lsof for which socket/process does port belongs to? – Tim Oct 20 '15 at 17:23
  • The first part of lsof output is the process name and as you see. ssh is you client, sshd is server process (forked from the main sshd daemon). Note that the output is caught on server for remote forwarding, not on client. – Jakuje Oct 20 '15 at 17:25
  • Do the output mean that in remote forwarding, port belongs to sshd, and in local forwarding and in dynamic forwarding, port belongs to ssh? – Tim Oct 20 '15 at 17:35
  • Exactly. As I wrote in the original post. – Jakuje Oct 20 '15 at 17:39
  • Thanks. Are network sockets treated as files by the OS, so that you can use lsof to list them? – Tim Oct 20 '15 at 20:25
  • In *NIX is almost everything a file. They are treated with a bit different functions, but in the end the program has some file descriptors, that system needs to know about and that system can list with appropriate metadata. And from manual page about lsof you can see it displays writes "network files" explicitly. – Jakuje Oct 20 '15 at 20:33
  • I made some edit to your reply, and tell me if I am right or wrong. Thanks. – Tim Oct 22 '15 at 15:54
  • I don't know what you meant by the other part. I just copied it from you question. Yes, now it is right for me. – Jakuje Oct 22 '15 at 16:30