Needed a place to record some notes about WinSCP and PuTTY...
Sometimes, especially when behind a corporate firewall, it's useful to know how
to set up WinSCP for use via "tunneling."
First, find and reach a Linux box to which you have rights. You'll use that
host as the tunnel. Let's assume for this example that ours is
To expand the example, let's also assume that we must operate through a proxy.
Ours here is an HTTP proxy over port 8080, web-proxy.acme.com.
Once you have that, follow the steps below. Remember that this is for just one
site and you must do it within the context of that site. If at any time during
these steps you click on Session in the upper-left corner of the left
pane and see anything other than the hostname/username pair you're creating a
session for (in our example here: pookie.com/pookie), then it
This works with putty similarly and this utility has similar proxy and
tunneling settings of its own.
Normally, I just use putty to get into my Linux host and do stuff when
I'm on a Windows machine and don't have a Linux command line handy. However, it
can do much more such as this operation in support of helping Thunderbird get
mail from Google.
Having launched putty, we create a session and save it. Let's use the
same make-believe host as higher up in the WinSCP example.
This example is a little confusing since it's the before and after: to set up
forwarding of port 3128 (arbitrarily chosen), you type "3128" into Source
port, click the Dynamic button and then Add. The result
is "D3128" in the Forwarded ports list.
Of course, you do have to launch putty and authenticate for this to
work. Here, I happen to be logged into (not gandalf.lordoftherings.net,
but) another host.
Turning to Thunderbird, I set up my Google mail account over IMAP as must be
Then, I go into Tools -> Options -> Advanced
-> Network & Disk Space -> Connection -> Settings. There I
set up my proxy, just as I would for Firefox browsing. I also set up a SOCKS
(v5) proxy for the local host (127.0.0.1) on port 3128.
Tools -> Options -> Advanced
-> Network & Disk Space -> Connection -> Settings
Magically after this, I'm getting my Google mail into Thunderbird despite
running behind a firewall and proxy set-up at work.
All machines in your internal network appear at the same (set of) public
addresses. I.e., you can have 8 public IP addresses, and a network of 200
machines with private addresses using them to go "outside". When a host inside
wants to open a connection to the outside, the connection gets assigned an ID
address and port from this pool. It was conceived as a way of conserving IPv4
addresses when it became clear they were going scarce, and then (ab)used as a
security measure (any incomming connections are at the mercy of the machine
doing the translating). This is usually called NAT (Network Address
Translation), if there is just one public address it is more accurately called
PAT (Port Address Translation, only ports are translated). But both are usually
All traffic directed at a certain IP address and port is sent to another
address and port, any responses follow the reverse path. This is usually
coupled with masquerading (i.e., outside accesses the HTTP or SMTP ports on one
of the masquerading addresses, traffic to that port is handled by the internal
machine offering that service). It can also be done if both the forwarder and
its target have public addresses, but it is rather pointless.
A machine filtering traffic between networks, typically an internal network and
the Internet, but it could also separate two internal networks. The firewall
inspects connection requests and/or flowing traffic, and denies traffic (or
modifies it). Is usually combined with the above two.
Masquerading = NAT
Port forwarding = telling NAT to forward new incoming traffic on a certain port
to another IP and port "behind it".
If you didn't set up port forwarding on A, B isn't going to receive any new
incoming connections from outside of A.