I don't use ssh tricks much. But I use port forwarding a lot.
Of course ssh can be used for local and remote port forwarding. And
you can setup a VPN using ssh.
The port forwarding that I use is normally done with MODEMs which
either forward all TCP and UDP
ports from the public interface to a local IP or you can forward a
particular TCP or UDP port.
I also do this with a firewall rule and for a very long time my
SpamCheetah product relied completely
on TCP port forwarding for it to work.
It involves a fair bit of complexity and the main condition for port
forwarding to work is that the routing
should be symmetric.
If you want to forward packets to a host inside the LAN, the reverse
packet path should also go through
the same host.
Otherwise you find that port forwarding does not work.
This is very simple to understand if you know what happens underneath.
Port forwarding happens by rewriting the header of the packet. The IP
destination address and port is rewritten.
Usually only the IP address.
On the way back it has to be written back to the original value.
In other words port forwarding is nothing but DNAT and it is the reverse of NAT.
Where is it useful?
It can be used to run a web server at home or it can be used to insert
a layer of processing.
That is what SpamCheetah does. When mails land on the mail server's
interface, it is forwarded to
the SpamCheetah appliance which filters the spam and forwards the
mails to the mail server's physical interface.
This is one example.
Other examples are load balancing, running a service on a public port and so on.
In a LAN, the gateway of all machines will be the MODEM. Which is how
things should be.
But once you do port forwarding in a machine other than the MODEM the
gateway should be
that machine.
Then only port forwarding will work.
Then only routing is symmetric. Otherwise replies will bypass the port
forwarding machine.
In a network there can only be one gateway.
But you can always have multiple hops within the network before
reaching the gateway.
Things will still work.
This is what is needed for port forwarding to work.
Now what can ssh do?
It can do a lot to ease networking woes.
One thing it can do is local port forwarding with the -L switch.
You can setup a secure tunnel to a remote endpoint from a local port.
This is good for encryption but at the same time, local ports end up
being remote. ;)
So I wonder how secure it is.
The other thing ssh does is forward a remote port to a local port.
This is useful for machines behind NAT to run a service like ssh or
HTTP to a public IP and port.
But for this to work you will require a public IP listening on ssh
constantly to do this job.
It is little bit of a problem...
-Girish
--
Gayatri Hitech
http://gayatri-hitech.com