Differences between ssh -L to -D

53

12

I'm trying to understand the differences between ssh -L to -D. Is there anything else except for that -D is SOCKS only?

Thanks!

Marvin

Posted 2012-04-03T12:26:05.763

Reputation:

Answers

55

ssh -L opens a local port. Everything that you send to that port is put through the ssh connection and leaves through the server. If you do, e.g., ssh -L 4444:google.com:80, if you open http://localhost:4444 on your browser, you'll actually see google's page.

ssh -D opens a local port, but it doesn't have a specific endpoint like with -L. Instead, it pretends to be a SOCKS proxy. If you open, e.g., ssh -D 7777, when you tell your browser to use localhost:7777 as your SOCKS proxy, everything your browser requests goes through the ssh tunnel. To the public internet, it's as if you were browsing from your ssh server instead of from your computer.

Jessidhia

Posted 2012-04-03T12:26:05.763

Reputation: 2 602

@dividebyzero I'm having trouble picturing what you're describing – Michael Dorst – 2019-04-22T17:59:25.630

@MichaelDorst I mean this sentence from the manpage: The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces. – dividebyzero – 2019-04-23T18:37:50.347

ssh -L 4444:google.com:80 doesn't work for me, it requires another parameter for logging in, like user@example.com – Saman Mohamadi – 2019-09-18T10:30:21.457

6One important detail about -L is that you can bind a local port just for local use only, e.g. localhost:80:remotehost:8080, but you can also bind that port for anyone else. So you can make a machine in your local network offer access to a remote machine by a tunnel, without any of the local machines know about this. – dividebyzero – 2013-09-06T14:48:22.010

6

In SSH, -D specifies a local “dynamic” application-level port forwarding.

SSH -D [bind_address:]port

Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

IPv6 addresses can be specified with an alternative syntax: [bind_address/]port or by enclosing the address in square brackets.

Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

Additionally, ssh -L Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

SSH -L [bind_address:]port:host:hostport

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets.

Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

Mughil

Posted 2012-04-03T12:26:05.763

Reputation: 826