Tunneling connections securely with SSH

I copy this tutorial from http://www.debian-administration.org/articles/38
Unfortunetly, it was posted by Anonymous, so I don't know which who I have to say thanks.

Here are the tutorial 'Tunneling connections securely with SSH':

There are many situations where you might want to send traffic over a secure link, and this is exactly what SSH allows you to do. Any form of TCP/IP connection can be sent across a tunnel providing you have access to a remote SSH server at the 'far side'.

One common use of SSH tunnels is for gaining access to facilities which are unreachable from your local machine.

For example if you are at work and you have access to an SSH server upon your home machine, and a proxy server running there too, you can surf the web using the secure tunnel. This keeps all records of your site visits out of the company log files.

Another reason to use a tunnel is to send insecure data over a secure, encrypted, link. This can come in handy when you wish to check email in a hostile environment for example.

To use a SSH tunnel you need to have two things:
- The ability to make outgoing SSH connections.
- A remote SSH server upon a host which can reach the resource you wish to access - it doesn't matter if you can't reach it, so long as the server can reach it and you in turn can reach that.

The most popular SSH client for Windows PuTTY also allows you to establish tunnels, which is worth remembering.

A tunnel is exactly what its name would suggest, a link between a service running on a remote machine and your own local machine.

You can cause all data sent to a local port upon your local machine to be seamlessly sent to a port on a remote machine with the encryption and compression facilities that OpenSSH supports.

Lets pretend we're stuck at work and we have a remote server which is running a POP3 mail server, and also an SSH server.

If we login with our mail client directly the user name and password we use to login to that mail server will go over the network in plain text, as will the contents of your messages. This could allow a user on your network to read them as they are in transit.

Using SSH we can create a tunnel between the remote POP3 server and the local machine
- then when that is up we can point the mail client at the local machine.

Any requests it makes will go out across the tunnel and end up at the mail server on the far side.

We will run the following command:

ssh -C -L 1100:localhost:110 username@host

This will prompt you for a password for the remote machine host, then once you've logged in will create a tunnel. Everything sent to the local machine on port 1100 will be sent to the remote machine localhost on port 110. (Which is the service for POP3)

The '-C' causes all the traffic to be compressed, which is a useful thing to remember :).

Tunneling other ports can be added easily too. If you have access to a remote proxy server from your remote login you can setup a tunnel to that, then point your browser at your local machine.

Assume that you have a login on a gateway machine gateway which can reach a machine called proxy, which is running the Squid proxy server on port 3128.

Run this:

ssh -C -L 8080:proxy:3128 user@gateway

Now you have a tunnel which is listening upon the localhost on port 8080 - so you can setup your browser proxy server to http://localhost:8080/ and enjoy secure browsing.