Port forwarding involves sending connection requests to a different port than requested, a different system than requested or both. For example, you might request a connection to port 23 on a system, but find that your connection is sent to port 2323 instead, to port 23 on a remote server or to port 2323 on a remote server.
There are several reasons why people forward ports and several ways to effect the forwarding. For some sites, ports are forwarded by local systems when the intended targets are otherwise unreachable. For others, ports might be forwarded via secure tunnels as a way to secure their content.
Port forwarding is commonly used to provide users with access to systems they cannot normally reach. If only one system on your network is allowed to make telnet connections to external systems, you might want to forward your telnet requests to that system.
Port forwarding can be thought of as a combination of routing and packet rewriting. After all, to work, port forwarding needs to adjust either the destination IP, target port or both in packets to get them to the intended network services. At the same time, the forwarding has to be transparent as far as users are concerned. They might be completely unaware that their connections are being made to a system other than the one that they are addressing explicitly. In any case, the port forwarding also needs to work in both directions. If you think you're connecting to port 23 and you're really connecting to port 2323, the connection must still look like it's coming from port 23 at your end.
Port forwarding can be done on a firewall, through the use of software such as ssh or via some script or program you download or write yourself.
Forwarding ports via ssh is fairly straightforward and adds the benefit of encryption. A command such as the one shown below, for example, will send connections arriving on port 2323 to port 23 on the system called "remhost". This command actually establishes a tunnel. You will be prompted to log in on the remote system and, while the connection remains established, you and others can make use of it.
locahost# ssh -L 2323:localhost:23 remhost
If someone already logged into the local system issues a "telnet localhost 2323" command, they will end up logging into remhost. The benefit is that, because the connection is using ssh, it's encrypted even though we're connecting with telnet.
One drawback of ssh port forwarding is that these connections can only be used when you're logged into the system on which the tunnel was established.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
The ssh -g option can be
The ssh -g option can be used to allowed remote connections to forwarded ports.