On Mon, Jul 18, 2011 at 3:03 PM, David J. Haines <dhaines@gmail.com> wrote:
.... ssh -L X:host1:Y host2 means open a connection to host2, including shell, and forward anything sent to localhost on port X to host1 on port Y. Host1 and host2 can be the same machine.
... and to briefly expand, it's good to note the behavior when host1/host2 are not the same machine. for example, i use something like the following to access the webpanel of a backup server (only available on a remote private subnet): ssh -CNAfc arcfour -L localhost:1180:10.20.0.75:80 anthonyr@bridge03 ... this says: ) connect to bridge03 ) setup a "relay" of sorts (no port is allocated) ) when i connect to port 1180 on my workstation ... ) ... bridge03 relays the connection to 10.20.0.75, port 80 ... so in effect i am only rebounding off the machine i connected to, using it only as a way to get access to the private subnet. also, note that the "host" and "hostport" is from the REMOTE's prespective ... not your own!! this is a great source of confusion at first. example ... i use the following whenever my fiancé has CUPS issues (a lot ...) to connect to her when i'm at work (this is also over a layer2 openvpn but that doesn't matter): ssh -CNAfc arcfour -L localhost:1631:localhost:631 emily@10.10.210.10 ... which says: ) connect to 10.10.210.10 ) when i connect to port 1631 on my workstation ... ) ... 10.10.210.10 relays the connection to LOCALHOST port 631 ... NOTE how both "bind_address" AND "host" are localhost ... because they are from the perspective of EACH endpoint, not just your's. other examples i use regularly (near verbatim from history log -- names changed to protect the innocent :-): # make MySQL available locally via port 3307 (nice for using a local query browser or schema explorer) ssh -CNAfc arcfour -L localhost:3307:localhost:3306 anthonyr@shared001 # make connections to local port 2222 turn into regular SSH connections to a different host than you connected to (SSH relay) ssh -CNAfc arcfour -L localhost:2222:10.20.23.30:22 anthonyr@fma001 # same purposeas the first example two up, but this host (zimm001) runs SSH on port 7777 vs. 22 ssh -p7777 -L localhost:3307:localhost:3306 anthonyr@zimm001 ... so very useful :-) ... and if your wondering the common options i use for everything: -C compress the stream -N do not execute a command (port forward only) -A forward your agent socket (only needed if you need it available on the remote host -- use with care -- see manpage) -f put ssh into the background after receiving pass [if required] and just before it would execute a remote command -c arcfour use the arcfour cipher (weakest) instead of AES (strongest) this makes a HUGE HUGE difference in bandwidth/overhead (sshfs/FUSE, MySQL forwarding, etc) ... that should give you an even better understanding i hope :-) C Anthony