Before to begin any technical part, I will try to explain the operation of Port Forwarding and why implement it.

To understand this concept, I refresh your memories on the communication of computer:

To exchange informations, computers need an IP address and a port number. The port number is important because it’s thanks to it that the communication exists. Client and server have to communicate on the same port number.

Now, we decrypt the Port Forwarding. The Port Forwarding consist of redirect informations sent on a port number of a computer to a different port number on another computer.

A picture to better understand this redirection:

In this example, the number port 6000 of client will be encapsulated on port 22. When the request arrives on the server on the port 22, it will be decapsulated et sent on 80.

To simplify, the Port Forwarding swap the port number of communication.

Why implement it

We can ask the question of why implement it. Port forwarding with SSH is used when you want secure an communication between two computers.

Maybe you have a firewall in your company which allows only the port number 22 and you want to access the internal FTP server. Or a filter on your HTTP requests (Websense, SurfControl) and you want bypass it. Bu avoid this control remains under your responsibility.

How informations communicate , with and without Port Forwarding?

Explication:

The Blue path (1) is the communication in a normal situation. When you request a web page, your request is filtered by the firewall and redirected to Internet. If the website is in the blacklist, then access will be denied.

The Red path (2) is the communication with Port Forwarding.Your internet request is encapsulated in a secure tunnel and sent to your remote server.

When you encrypt your transaction between your PC and the server, it means that the firewall can’t inspect your request.

Once the remote server has received your request, it will go for you on internet and download the web page. Everything in a secure connection.

Result: Secure exchange between two hosts, unable to inspect the content.

How implement it

I used for this article a Debian distribution, but this solution works also on Mandriva.

We need :

- A Linux server

- A client on Microsoft Windows

-  Putty

The server configuration is divided into 4 steps.

1. OpenSSH Installation.
2. Certificates for SSH.
3. Configuration of file SSH.
4. User creation.

And for client configuration into 2 steps.

1. Configuration of Putty.
2. Configuration of your browser.

Server Configuration

OpenSSH Installation

Port Forwarding is based on the SSH protocol. So the first step is to install OpenSSH.

apt-get install openssh-server

Note: Don’t forget to update your sources with:

apt-get update

Generating certificates for SSH

Once you have installed the service SSH, you must have certificates to validate the connection.

A certificate contains a private key and public key which allow you to encrypt your communications.

During the installation, it is possible that generation of certificates were done automatically. For more security, we are going to recreate them.

To create certificates:

ssh-keygen -t dsa -b 1024

ssh-keygen -t rsa -b 1024

The system asks you to specify the path et name for your certificates. I advise you to put them in /etc/ssh

Configuration of file SSH

The next step is the modification of  configuration file of SSH to accepts tunnels and modify certificate’s paths.

You linux server can also connect to another remote server in SSH. It will be client.

This is why there are two configurations for SSH files: a file named ssh_config for the client connection and a sshd_config file which allows us to configure our SSH server.

We modify the file sshd_config

vi /etc/ssh/sshd_config

In first time, we specify new certificate’s path.

To do this, modify lines which contain HostKey:

# HostKeys for protocol version 2
HostKey /etc/ssh/certifLaboIT
HostKey /etc/ssh/certifLaboITdsa

To allow SSH tunneling,  add this command at the end of the file:

#Permit Tunnel
PermitTunnel yes

It is possible to change the listening port of the server. In case of the port number 22 is blocked by your firewall.

#What ports, IPs and protocols we listen
Port 22

Quit Vim editor and don’t forget to save your modifications.

SSH configuration is now complete.

We need to restart the service with command:

/etc/init.d/ssh restart

User creation

To avoid login with root account, we create a new user:

useradd LaboIT

passwd LaboIT

Server configuration is now complete.

Client Configuration

It is important to understand what we are going to do.

All client requests will be encapsulated in a tunnel by Putty dynamically to use the red path (2).

Configuration of Putty

You can download Putty at this address: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

The configuration of the PuTTY executable will be in 2 steps:

1. Information of the server’s IP address and its listening port.
2. Creation on the client of a new dynamic port.

For the first step, we will fill in the connection information:

Specify the IP address or FQDN of the server in the red box. And then in the yellow box specify the port is in your configuration sshd_config file

Second step, creation of new port:

To create a dynamic, port verify that the dynamic option is selected and then in the field source port enter 9999. Once this done, click Add to add to the ports forwarded.

To open the connection to the remote server, click Open.

Configuration of your browser.

You must specify your favorite browser where it should exit. Indeed, it should not use the blue path (1) but the Red (2).

For the connection host address specify 127.0.0.1, which is your PC. And in port, you must specify 9999, that was informed earlier.

You just have to accept the changes and go to your favorite pages.

Remember that if your company has set up a filter is for a good reason. So do not overuse. You are solely responsible for your actions.