Destination server/port to tunnel www?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm connecting to my home PC remotely using putty.
Okay, first of all, three givens:

To tunnel POP3 over SSH, I connect
localhost:(arbitrary_port_over_3000) ->

To tunnel SMTP, I connect
localhost:(another_arbitrary_port_over_3000) ->

To tunnel usenet, I connect
localhost:(another_arbitrary_port_over_3000) ->

So if I want to tunnel www access, what do I put in as my destination?
Is it
or something completely different?!

I've been able to tunnel to my home web server, to my router's admin
page, but I've not been able to tunnel out through my router onto the

Thanks for any advice,


Re: Destination server/port to tunnel www?

Toby Newman wrote:
Quoted text here. Click to load it

First, you need a SSH server on the other end to establish the
tunnel. As the phrase "port forwarding" suggests, you can only
forward ports.

Second, it's extremely dangerous to port forward anything from your
ISP to your local desktop.

A secure link requires that both end points trust each other and
understand each others security policy.

Encrytion is a necessary but not a sufficient condition for
establishing a secure link.

Re: Destination server/port to tunnel www?

Quoted text here. Click to load it

Sorry, I should have given more background, I was going for succinct
I have sshd running at home on linux. Remotely, I have putty running on
windows. I can log into my home PC, and can tunnel POP3 and NNTP fine. I
don't know how to tunnel WWW (I guess the correct name is HTTP).

What should I use as a destination IP/port for HTTP?
My home PC's gateway IP? (Just serves me the router's admin page)
My home PC's DNS server IP? (Just doesn't work)


Re: Destination server/port to tunnel www?

[port forwarding]
Quoted text here. Click to load it

Your HTTP proxy server.

Alternatively, if your SSH client supports it you could enable "Dynamic
Forwarding" and point your browser to localhost as a SOCKS server.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Destination server/port to tunnel www?

# Darren Tucker

Quoted text here. Click to load it

I'm not aware that I use a proxy server. The machine running sshd is behind
a linksys BEFSR41 router, which in turn is connected to my cable internet.
I can log into the machine using SSH remotely, and once in, set up tunnels
for POP3 and NNTP. I'm still not sure which IP and port to use as a tunnel
destination for tunneling WWW access.


Re: Destination server/port to tunnel www?

    >>> What should I use as a destination IP/port for HTTP?
    >>  Your HTTP proxy server.

    TN> I'm not aware that I use a proxy server.

Darren's point is that now you need to, if you want to tunnel your HTTP
requests.  A static SSH forwarding has a single target socket.  You are
making HTTP requests to various hosts as you browse the web, so a single
static forwarding will not allow you to talk to more than one web server.
Even that may not work properly, as you will have to change the hostname
in your url's to reach the forwarded port
(e.g. http://localhost:port/...), which will often not be accepted by the
web server in question.  Even if you were just forwarding directly to a
single web server to browse its content, you would set the SSH-forwarded
socket to be your browser's HTTP proxy -- it would just only work for
url's hosted by that server.  To browse the web in general, you'll need to
forward to a real HTTP proxy server, e.g. squid.

In theory, a better way to deal with this is Darren's other suggestion:
so-called "dynamic forwarding" via SOCKS (OpenSSH -D forwarding): this
allows the browser to make TCP connections to multiple arbitrary
destinations through a single SSH-forwarded socket, and removes the need
for an HTTP proxy server, having to proxy each protocol separately
(HTTP/HTTPS/...), etc.  However there are sometimes practical problems
with this.  If there are split namespaces (DNS etc.) on either side of the
SSH connection, then you want to use socks5 and have the client pass the
names through for resolution on the far side.  Unfortunately, many
browsers do local name resolution anyway even when set to use a socks5
proxy, limiting the usefulness of this feature.  Even if the namespace is
not split and this works, part of the point of the whole setup may be
lost.  If you wanted browsing privacy in the vicinity of the client, then
this is partially compromised: the DNS traffic from the client reveals the
web servers it's talking to, even though the actual HTTP traffic is
protected by SSH.

  Richard Silverman

Site Timeline