Now let's move on to the forwarding that you can do that isn't configured for you. Perhaps the easiest way to explain what this is about is to give an example that happened to me.
I live in Georgia, but I'm originally from Toronto. I'm still interested in what happens in Toronto, so I like to look at the Toronto news groups occasionally. So I set up port forwarding for NNTP, Network News Protocol, to allow me to read the news groups at my ISP in Toronto rather than on my local ISP, which doesn't carry Toronto groups. NNTP is carried on port 119, and you use some kind of news reader to look at it. I usually use trn - a bit arcane, but quite powerful.
The servers we're dealing with in this case are "shell.interlog.com" and "news.psi.ca". The former is my ISP's shell server, and the latter is their news server. I can't log in to the news server directly, it has no shell access. I can read news by logging in on shell.interlog.com and running trn, but I'd rather do that on my home machine. And since I can't make news requests from my home machine (it's not in the IP range news.psi.ca accepts connections from), I had to figure out how to make it work another way. This looks a bit daunting, bear with me.
giles@tesla$ su -c "ssh -C -L 119:news.psi.ca:119 shell.interlog.com -l giles" |
I'm going to look at this starting at the back end. Since I'm using su to become root (I'll explain why in a second), ssh thinks I'm root on the remote machine. I don't have root on my ISP, so I have to tell it otherwise. Since I can't connect directly to news, I connect to shell. It isn't the machine that I'm getting news from, and that's one of the interesting twists here. Since "max3-42.dial.accucomm.net" (my assigned dial-up IP address) isn't authorized to get news from news.psi.ca, we connect to a machine that is authorized. I connect and port-forward through shell.interlog.com, which I have access to, and which is authorized to get news from news.psi.ca. So the "-L 119:news.psi.ca:119" is telling ssh to take port 119 on the local machine and send all information from there to port 119 on news.psi.ca. shell.interlog.com acts as a relay. The "-C" flag is important for me at home: I have a 56k dial-up connection, and "-C" means "use compression." This isn't useful if you have ethernet because the overhead of the compression slows you down more than the compression speeds you up, but on a phone line, it's great. Note that the connection isn't encrypted between shell and news, but that's not as important as having it encrypted on the Internet at large.
Finally, why did I su to root? Port 119 is a privileged port. On the remote machine, I'm only feeding data to it, so I don't need root, but on the local host, I'm taking it over entirely, so I have to be root. All ports below 1024 are privileged, so you have to have root to forward them. Often, if you don't have root, you can use another port above 1024, and tell the application you're using to look at the other port you chose - when you use "-L" with SSH, the two port numbers DO NOT have to be the same.
Now I'm ready to read news on my machine, as if I was directly connected to my ISP in Toronto. You need to set one environment variable on the local machine, and you're ready to go:
giles@tesla$ NNTPSERVER=localhost ; export NNTPSERVER giles@tesla$ trn |
That's it: you should be up and running.