What Is a Forward Proxy?
Port forwarding is a method used by Secure Shell (SSH) for secure network communications. SSH can use port forwarding technology to transmit packets of other TCP / IP protocols. When using this method, SSH establishes a secure transmission channel for other services on the client and server. Port forwarding uses this client port mapping to server port to work. SSH can map all server ports to local ports, but to set ports below 1024 requires root user authority. In a network using a firewall, if it is set to allow the SSH service to pass (port 22 is open) and other services are blocked, the blocked service can still forward data packets through port forwarding technology [1] .
- Forwarding is a way to interact with other web applications. At one end of the SSH connection, SSH intercepts service requests from other programs, sends it over an encrypted SSH connection, and passes it to the appropriate service receiver at the other end. In most cases, this process is transparent to both ends of the connection: each end believes that it is talking directly to the other party, and is unaware of the existence of forwarding. SSH forwarding also has more powerful functions, which can realize several kinds of communication that could not be realized in the past [3]
- For some reason, users can only connect to a secure host through a non-secure host. In this case, ssh provides a feature called port forwarding. With the "port forwarding" function, users can strengthen the security of non-secure sections of the connection route. All the user needs to do is simply specify a port on the non-secure host, and the non-secure host will establish a connection with the secure host through this port. This establishes a direct connection between the local host and the remote host using that non-secure host as a springboard. Users can set up port forwarding on a port on a remote host or on their own local host. If you want to forward a port of a remote host to a port on the local host, you need to use the -R option of the ssh command, followed by the local port, the remote host address, and the remote port to be forwarded, separated by colons. open. It works by allocating a socket to listen on that port on the remote side. As long as a connection is established on this port, the connection will be forwarded to a secure channel, and a connection from the local machine to the remote port will be established [4]
- In many cases, since the server is in the internal network, and the computer in the external network cannot connect to the server in the internal network, it is also impossible to make a 3389 remote connection. At this time, it is necessary to perform a reverse connection according to the characteristics that the internal network computer cannot be connected by an external computer but can be connected to the external computer [5]
- Port mapping and port forwarding are used to publish servers inside the firewall or client computers inside the firewall. Some routers also have port mapping and port forwarding functions. Port mapping is similar to, but not exactly the same as, port forwarding. Port mapping is to completely map a port on the external network to a designated port on an internal network address, and port forwarding is to completely forward traffic sent from a port on the external network to a designated port on an internal network address. Port mapping can realize bidirectional communication from external network to internal network and internal network to external network, while mapping and forwarding can only realize one-way communication from external network to internal network [6] .
- For example: a firewall has two ports, one port is for the external network, the P address is set to 202.206.197.229, and the other port is for the internal network, and the IP address is set to 172.23.120. A web server is placed on the internal network and its IP address is 172.22.100.100. If you want this server to provide web services to the outside, you can map port 80 of 202.206.197.229TCP to port 80 of 172.22.100.100 on the firewall. In this way, when an external network user accesses the Web service 202.206.197.229, the user actually accesses the service provided on the intranet server. If the port providing web services on the 172.22.100.100 server on the internal network is not 80 but another port (such as 333), you need to map TCP port 80 on the firewall to port 333 of the internal network 172.22.100.100 [6] .