SSH Port Forwarding:

• SSH port forwarding or tunnelling allows you to forward otherwise insecure TCP
traffic inside a secure SSH tunnel from local to destination server.

• Protocols such as FTP, POP3, SMTP, HTTP, TELNET, and others can all be forwarded
inside this SSH tunnel.

• This will provide increased security features such as encryption and authentication
that may not otherwise be supported.

• You must create a new SSH connection to establish the tunnelling.

Type of SSH Port Forwarding?

There are three types of port forwarding mechanisms between local and remote host:

• Local Port Forwarding: Create a local port that is connected to a remote service.

• Remote Port Forwarding: Forward a port on a remote server on the Internet to a

local port.

• Dynamic Port Forwarding: A SOCKS client connects via TCP, and indicates via the
protocol the remote socket it wants to reach.
1: Local Port Forwarding
• This allows you to forward a port from your localhost server (ssh_client) to a port
on target remote server (ssh_server).

• The basic syntax would be ssh -L sourceHost:sourcePort:forwardToHost:onPort

connectToHost

• Here the first field sourceHost would be the localhost using on which you will enable
the Port Forward

• The second field is sourcePort using which you will connect to

the remoteHost and remotePort

• The third field is the forwardToHost i.e. the server to which you want to forward the
request. You can also put localhost in this field (as it is the localhost of remoteHost)

• The fourth field is the onPort section i.e. the port to which the request has to be
forwarded

• Lastly provide the server (connectToHost) to which you want to create the secure
SSH Tunnel.

1.1: Local Port Forwarding with two servers

• This is the basic and most used Local port Forwarding where we forward the traffic
on a port 5555 from localhost (server1) to a port 80 on target host server3.

• In this example I have a web server running on port 80 on server3.

• I will configure port 5555 to be used to forward the traffic from localhost (server1)
to server3 on port 80 in secure SSH Tunnel.
1.1.1: Create SSH tunnel for HTTP server

Use SSH client on server1 (our localhost) to create a secure tunnel towards server3. The -
L option specifies local forwarding, in which the TCP client is on the local machine with the SSH

client.

[root@server1 ~]# ssh -f -N -L localhost:5555:server3:80 root@server3

HINT:
We can also use ssh -f -N -L 5555:localhost:80 root@server3 to establish the SSH
tunnel but that would confuse the beginners so we will keep it by the rules. Ideally here
third field localhost is considered to be called on server3 so we can use either

Make sure the SSH process is still active:

[root@server1 ~]# ps -ef | grep ssh

root 1170 1 0 10:20 ? 00:00:00 /usr/sbin/sshd -D
root 1426 1170 0 10:21 ? 00:00:01 sshd: root@pts/1
root 2242 1170 0 12:31 ? 00:00:00 sshd: root@pts/0
root 2384 1 0 12:53 ? 00:00:00 ssh -f -N -L
localhost:5555:server3:80 root@server3
root 2386 1430 0 12:53 pts/1 00:00:00 grep --color=auto ssh
1.1.2: Verify the SSH Tunnel
Next we will try to connect to our apache server on server3 using curl and curl is able to
connect to server3:80 using the server1:5555

[root@server1 ~]# curl [Link]

Welcome To Nehra Classes Web Page.

More information can be collected from tcpdump which is running on server3. This shows
that the curl request was served using SSH secure Tunnel even when the requested port was
80

[root@server3 ~]# tcpdump -i enp0s8 port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
12:53:28.032073 IP server1.53464 > [Link]: Flags [P.], seq
29797146:29797230, ack 547702480, win 329, options [nop,no,TS val 8905005
ecr 8902932], length 84
12:53:28.032108 IP [Link] > server1.53464: Flags [.], ack 84, win 295,
options [nop,nop,TS val 8909252 ecr 8905005], ength 0
12:53:28.032430 IP [Link] > server1.53464: Flags [P.], seq 1:45, ack
84, win 295, options [nop,nop,TS val 8909253 ecr8905005], length 44
12:53:28.032854 IP server1.53464 > [Link]: Flags [P.], seq 84:200, ack
45, win 329, options [nop,nop,TS val 8905006 er 8909253], length 116
12:53:28.033570 IP [Link] > server1.53464: Flags [P.], seq 45:337, ack
200, win 295, options [nop,nop,TS val 8909254 cr 8905006], length 292
12:53:28.044939 IP server1.53464 > [Link]: Flags [P.], seq 200:236, ack
337, win 349, options [nop,nop,TS val 8905018ecr 8909254], length 36
12:53:28.045130 IP [Link] > server1.53464: Flags [P.], seq 337:409, ack
236, win 295, options [nop,nop,TS val 8909265ecr 8905018], length 72
12:53:28.045599 IP server1.53464 > [Link]: Flags [P.], seq 236:272, ack
409, win 349, options [nop,nop,TS val 8905019ecr 8909265], length 36
12:53:28.085911 IP [Link] > server1.53464: Flags [.], ack 272, win 295,
options [nop,nop,TS val 8909306 ecr 8905019],length 0

1.1.3: Close Local Forwarding Tunnel

To close the secure SSH Tunnel we must kill the SSH process which was created to forward the
PORT.

[root@server1 ~]# kill -9 2384

1.2: Local Port Forwarding with three servers

In this example we will have three servers. Here server1 does not has direct access
to server3 so it will use server1→ server2 to connect to the webserver on server3.

We will forward the port request from server1:5555 to server2 using secure SSH Tunnel
which will further connect server3:80 to fetch the request.
1.2.1: Create SSH Tunnel

Create Local Forwarding port on your localhost (server1) using SSH client. You can also ignore
mentioning localhost in this command as that is the default behaviour, I have written here just
for the sake of explanation

[root@server1 ~]# ssh -f -N -L localhost:5555:server3:80 root@server2

Make sure the SSH process is active which means our tunnel is created

[root@server1 ~]# ps -ef | grep ssh

root 1170 1 0 10:20 ? 00:00:00 /usr/sbin/sshd -D
root 1426 1170 0 10:21 ? 00:00:01 sshd: root@pts/1
root 2242 1170 0 12:31 ? 00:00:00 sshd: root@pts/0
root 2380 1 0 12:51 ? 00:00:00 ssh -f -N -L
localhost:5555:server3:80 root@server2
root 2382 1430 0 12:51 pts/1 00:00:00 grep --color=auto ssh

1.2.2: Verify the SSH Tunnel

We will use curl to connect to our webserver

on server3:80 from server1 using localhost:5555. So the curl tool was successfully able to
fetch the webserver's index page.

[root@server1 ~]# curl [Link]

Welcome To Nehra Classes Web Page.

You can check the tcpdump capture on server3 This shows the secure tunnel communication
between server1 and server2 and further server2 will connect to server3 to connect to
the webserver.

[root@server3 tmp]# tcpdump -i enp0s8 port 22 or 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
12:59:04.138042 IP server1.60638 > [Link]: Flags [P.], seq
2758738467:2758738551, ack 379740010, win 289, options [nop,nop,TS val
9241111 ecr 5849726], length 84
12:59:04.138269 IP [Link] > server1.60638: Flags [.], ack 84, win 273,
options [nop,nop,TS val 5891823 ecr 9241111], length 0
12:59:04.144056 IP server2.53650 > [Link]: Flags [S], seq 2208701817,
win 29200, options [mss 1460,sackOK,TS val 5891829 ecr 0,nop,wscale 7],
length 0
12:59:04.144073 IP [Link] > server2.53650: Flags [S.], seq 2805768777,
ack 2208701818, win 28960, options [mss 1460,sackOK,TS val 9245364 ecr
5891829,nop,wscale 7], length 0
12:59:04.148666 IP server2.53650 > [Link]: Flags [.], ack 1, win 229,
options [nop,nop,TS val 5891833 ecr 9245364], length 0
12:59:04.148672 IP [Link] > server1.60638: Flags [P.], seq 1:45, ack
84, win 273, options [nop,nop,TS val 5891834 ecr 9241111], length 44
12:59:04.148790 IP server1.60638 > [Link]: Flags [.], ack 45, win 289,
options [nop,nop,TS val 9241122 ecr 5891834], length 0
12:59:04.148917 IP server1.60638 > [Link]: Flags [P.], seq 84:200, ack
45, win 289, options [nop,nop,TS val 9241122 ecr 5891834], length 116
12:59:04.149100 IP server2.53650 > [Link]: Flags [P.], seq 1:79, ack
1, win 229, options [nop,nop,TS val 5891834 ecr 9245364], length 78: HTTP:
GET / HTTP/1.1
12:59:04.149118 IP [Link] > server2.53650: Flags [.], ack 79, win 227,
options [nop,nop,TS val 9245370 ecr 5891834], length 0
12:59:04.149546 IP [Link] > server2.53650: Flags [P.], seq 1:254, ack
79, win 227, options [nop,nop,TS val 9245370 ecr 5891834], length 253: HTTP:
HTTP/1.1 200 OK

1.2.3: Close Local forwarding Tunnel

To close the secure SSH Tunnel, go ahead and kill the respective SSH process which we created
earlier:

[root@server1 ~]# kill -9 2380

1.3: Local Port Forwarding with Gateway Ports

• In OpenSSH, by default, only the host running the SSH client can connect to locally
forwarded ports.

• This is because ssh listens only on the machine’s loopback interface for connections
to the forwarded port; i.e., it binds the socket (localhost,5555), a.k.a.
([Link],5555), and not (server1,8080).

• So, in the preceding example, only server1 can use the forwarding
 • However, ssh for OpenSSH has a command-line option, -g, that disables this
restriction, permitting any host to connect to locally forwarded ports:

• The client configuration (ssh_config) keyword GatewayPorts also controls this

feature; the default value is no, whereas yes does the same thing as -g

1.3.1: Create SSH Tunnel with Gateway Port

We will also use -g with our existing SSH command to create the SSH Tunnel. Also if you
observe, I have removed "locahost" and have used ":5555" which signifies all the host can
be matched

[root@server1 ~]# ssh -g -f -N -L :5555:server3:80 root@server3

Make sure the SSH process is still active for the respective command:

[root@server1 ~]# ps -ef | grep ssh

root 1170 1 0 10:20 ? 00:00:00 /usr/sbin/sshd -D
root 1426 1170 0 10:21 ? 00:00:01 sshd: root@pts/1
root 2242 1170 0 12:31 ? 00:00:00 sshd: root@pts/0
root 2423 1 0 13:01 ? 00:00:00 ssh -g -f -N -L
:5555:server3:80 root@server3
root 2425 1430 0 13:03 pts/1 00:00:00 grep --color=auto ssh

1.3.2: Verify the Local Port Forwarding

We will use curl command from server2 this time to check if it can connect to server3 using
port 5555 from the secure tunnel
[root@server2 ~]# curl [Link]
Welcome To Nehra Classes Web Page.

So the server2 was successfully able to connect to server3:80 and also to the webserver
using forwarding port server1:5555

The tcpdump output from server3 shows that the connection was established
between server1 and server3 using secure tunnel to get the HTTP request. You can extend
the tcpdump to search for host server2 to get packet details from respective host. Since the
tunnel is between server1 and server3 only, we do not see server2 related details here.

[root@server3 tmp]# tcpdump -i enp0s8 port 22 or 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
13:01:40.344612 IP server1.53480 > [Link]: Flags [P.], seq
2488865116:2488865208, ack 1385274191, win 309, options [nop,nop,TS val
9397318 ecr 9390459], length 92
13:01:40.344639 IP [Link] > server1.53480: Flags [.], ack 92, win 295,
options [nop,nop,TS val 9401565 ecr 9397318], length 0
13:01:40.346140 IP [Link] > server1.53480: Flags [P.], seq 1:45, ack
92, win 295, options [nop,nop,TS val 9401566 ecr 9397318], length 44
13:01:40.346422 IP server1.53480 > [Link]: Flags [.], ack 45, win 309,
options [nop,nop,TS val 9397320 ecr 9401566], length 0
13:01:40.346507 IP server1.53480 > [Link]: Flags [P.], seq 92:208, ack
45, win 309, options [nop,nop,TS val 9397320 ecr 9401566], length 116
13:01:40.347088 IP [Link] > server1.53480: Flags [P.], seq 45:337, ack
208, win 295, options [nop,nop,TS val 9401567 ecr 9397320], length 292
13:01:40.347943 IP server1.53480 > [Link]: Flags [P.], seq 208:244, ack
337, win 329, options [nop,nop,TS val 9397321 ecr 9401567], length 36
13:01:40.348239 IP [Link] > server1.53480: Flags [P.], seq 337:409, ack
244, win 295, options [nop,nop,TS val 9401569 ecr 9397321], length 72
13:01:40.348453 IP server1.53480 > [Link]: Flags [P.], seq 244:280, ack
409, win 329, options [nop,nop,TS val 9397322 ecr 9401569], length 36
13:01:40.389600 IP [Link] > server1.53480: Flags [.], ack 280, win 295,
options [nop,nop,TS val 9401610 ecr 9397322], length 0

1.3.3: Close SSH Tunnel

Close the SSH Tunnel To close the Local forwarding port, you can go ahead and kill the SSH
process which we created earlier to start the tunnel from server1
[root@server1 ~]# kill -9 2423
2: Remote port forwarding
• A remotely forwarded port is just like a local one, but the directions are reversed

• This time the TCP client is remote, its server is local, and a forwarded connection is
initiated from the remote machine.

• Remote port forwarding is less common and can be used to connect to a local port
that cannot be reached from the internet, to a port on the server that is available on
the internet

• The -R option specifies remote forwarding. It is followed by three values, separated

by colons as before but interpreted slightly differently.

The syntax to perform Reverse Port Forwarding would be ssh -R

bindAddress:remotePort:forwardToHost:onPort connectToHost

• The first field is the bind address on localhost. By default, TCP listening sockets on
the server will be bound to the loopback interface only

• The second field is the remotePort which which will be used to connect to the
destination port i.e. 80.

• The third field is for forwardToHost i.e. the hostname or IP of the server to which
you wish to connect as part of forwarding

• The fourth field is the onPort to which the forwarding should happen on the
"forwardToHost"

• Lastly provide the server details towards which the SSH Tunnel should be created
2.1: Create SSH Tunnel for Remote Port Forwarding

I have a web server with apache on port 80 running on server3. Now in the earlier examples:

with Local Port Forwarding we forward request from server1:5555 to server3:80

Now we will do the opposite i.e.

with Remote Port Forwarding we forward request from server3:80 to server1:5555

Create SSH Tunnel on server3

[root@server3 ~]# ssh -f -N -R localhost:5555:server3:80 root@server1

Make sure the SSH process with the above command is still running

[root@server3 ~]# ps -ef | grep ssh

root 5711 1 0 10:22 ? 00:00:01 sshd: root@pts/0
root 9500 1 0 11:10 ? 00:00:00 /usr/sbin/sshd -D
root 11151 9500 0 12:09 ? 00:00:00 sshd: root@notty
root 13638 1 0 15:46 ? 00:00:00 ssh -f -N -R 5555:server3:80
root@server1
root 13642 5799 0 15:46 pts/0 00:00:00 grep --color=auto ssh

2.2: Verify SSH Tunnel setup

Verify SSH Tunnel Next we will use curl from server1 to connect to server3 using port 5555

[root@server1 ~]# curl [Link]

Welcome To Nehra Classes Web Page.

The connection was successful

With tcpdump running on server3 we can check the secure SSH Tunnel was used for the curl
request from server1 to server3

[root@server3 ~]# tcpdump -i enp0s8 port 22 or 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
15:48:05.749405 IP [Link] > server3.48228: Flags [P.], seq
3747952798:3747952890, ack 3457506699, win 258, options [nop,nop,TS val
19382722 ecr 19296856], length 92
15:48:05.749429 IP server3.48228 > [Link]: Flags [.], ack 92, win 291,
options [nop,nop,TS val 19386970 ecr 19382722], length 0
15:48:05.750020 IP server3.48228 > [Link]: Flags [P.], seq 1:45, ack
92, win 291, options [nop,nop,TS val 19386970 ecr 19382722], length 44
15:48:05.750314 IP [Link] > server3.48228: Flags [.], ack 45, win 258,
options [nop,nop,TS val 19382723 ecr 19386970], length 0
15:48:05.750506 IP [Link] > server3.48228: Flags [P.], seq 92:208, ack
45, win 258, options [nop,nop,TS val 19382724 ecr 19386970], length 116
15:48:05.751491 IP server3.48228 > [Link]: Flags [P.], seq 45:337, ack
208, win 291, options [nop,nop,TS val 19386972 ecr 19382724], length 292
15:48:05.752605 IP [Link] > server3.48228: Flags [P.], seq 208:244, ack
337, win 281, options [nop,nop,TS val 19382726 ecr 19386972], length 36
15:48:05.752926 IP server3.48228 > [Link]: Flags [P.], seq 337:409, ack
244, win 291, options [nop,nop,TS val 19386973 ecr 19382726], length 72
15:48:05.753338 IP [Link] > server3.48228: Flags [P.], seq 244:280, ack
409, win 281, options [nop,nop,TS val 19382727 ecr 19386973], length 36
15:48:05.793709 IP server3.48228 > [Link]: Flags [.], ack 280, win 291,
options [nop,nop,TS val 19387014 ecr 19382727], length 0

2.3: Close SSH Tunnel

To close the SSH Tunnel we must kill the SSH process which is running on our server3

[root@server3 ~]# ps -ef | grep 5555

root 13638 1 0 15:46 ? 00:00:00 ssh -f -N -R 5555:server3:80
root@server1

The PID mapped to the SSH Tunnel is 13638, we will use kill with -9 interrupt signal for the
respective PID

[root@server3 ~]# kill -9 13638

3: Dynamic Port Forwarding

• Let's say we need a quick way to exit our network bypassing the firewall settings.

• Our server1 normally has access to HTTP server running on server3

• But due to recent firewall policy we can reach server3 host, to access the web server

• To overcome this problem we can use Dynamic Port Forwarding or SOCKS

Forwarding SOCKS is a small protocol, defined in RFC-1928.
 • A SOCKS client connects via TCP, and indicates via the protocol the remote socket it
wants to reach; the SOCKS server makes the connection, then gets out of the way,
transparently passing data back and forth.

• Thereafter, it is just as if the client had connected directly to the remote socket.

The syntax to use Dynamic Port Forwarding would be:

ssh -f -N -D [bind_address:]port connectToHost

• Here in the first field there is no need to explicitly mention the bind_address, just
provide the local port to be forwarded in the second field

• That’s because the destination is determined dynamically, and can be different for
each connection.

• Replace connectToHost with the server towards which you want to create the secure
tunnel
3.1: Create SSH Tunnel

Before we create SSH Tunnel, let me show you server1 was by default allowed to connect to
apache server on server3 using port 80

[root@server1 ~]# curl [Link]

Welcome To Nehra Classes Web Page.

But then we introduce iptables rule to block port 80 in the OUTPUT chain on server1

[root@server1 ~]# iptables -A OUTPUT -p tcp --dport 80 -j DROP

Now if we try to access the apache server from server3, curl will time out while trying to
establish the connection

[root@server1 ~]# curl --connect-timeout 5 [Link]

curl: (28) Connection timed out after 5000 milliseconds

So we create Dynamic Port Forwarding SSH Tunnel from server1 to server3 using a random
port 8080. You can choose any other port of your choice.

[root@server1 ~]# ssh -f -N -D 8080 root@server3

Verify the SSH process from this command

[root@server1 ~]# ps -ef | grep ssh

root 1170 1 0 10:20 ? 00:00:00 /usr/sbin/sshd -D
root 1426 1170 0 10:21 ? 00:00:01 sshd: root@pts/1
root 2242 1170 0 12:31 ? 00:00:00 sshd: root@pts/0
root 2611 1 0 16:24 ? 00:00:00 ssh -f -N -D 8080
root@server3
root 2613 1430 0 16:25 pts/1 00:00:00 grep --color=auto ssh

3.2: Verify SSH Tunnel setup

Verify the SSH Tunnel setup Now we will try to use SOCKS proxy to connect to the apache
server from server3:80 using server1:8080

[root@server1 ~]# curl --proxy socks5h://localhost:8080 [Link]

Welcome To Nehra Classes Web Page.

The curl connection was successful with SOCKS proxy

The tcpdump output on server3 shows that the curl connection happened within the secure
SSH Tunnel over port 22
[root@server3 ~]# tcpdump -i enp0s8 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
16:27:04.659233 IP server1.53544 > [Link]: Flags [P.], seq
2051346850:2051346934, ack 679515067, win 349, options [nop,nop,TS val
21721632 ecr 21664654], length 84
16:27:04.659249 IP [Link] > server1.53544: Flags [.], ack 84, win 295,
options [nop,nop,TS val 21725880 ecr 21721632], length 0
16:27:04.659651 IP [Link] > server1.53544: Flags [P.], seq 1:45, ack
84, win 295, options [nop,nop,TS val 21725880 ecr 21721632], length 44
16:27:04.660067 IP server1.53544 > [Link]: Flags [P.], seq 84:192, ack
45, win 349, options [nop,nop,TS val 21721633 ecr 21725880], length 108
16:27:04.660454 IP [Link] > server1.53544: Flags [P.], seq 45:337, ack
192, win 295, options [nop,nop,TS val 21725881 ecr 21721633], length 292
16:27:04.661356 IP server1.53544 > [Link]: Flags [P.], seq 192:228, ack
337, win 369, options [nop,nop,TS val 21721634 ecr 21725881], length 36
16:27:04.661590 IP [Link] > server1.53544: Flags [P.], seq 337:409, ack
228, win 295, options [nop,nop,TS val 21725882 ecr 21721634], length 72
16:27:04.661957 IP server1.53544 > [Link]: Flags [P.], seq 228:264, ack
409, win 369, options [nop,nop,TS val 21721635 ecr 21725882], length 36
16:27:04.702875 IP [Link] > server1.53544: Flags [.], ack 264, win 295,
options [nop,nop,TS val 21725923 ecr 21721635], length 0

You can also configure your Mozilla Firefox to use SOCKS Proxy by modifying the Proxy
configuration under Network Settings

3.3: Close SSH Tunnel

To close the Dynamic Port Forwarding SSH Tunnel we must kill the SSH process which we
created earlier on server1

[root@server1 ~]# ps -ef | grep ssh

root 2611 1 0 16:24 ? 00:00:00 ssh -f -N -D 8080
root@server3
root 2613 1430 0 16:25 pts/1 00:00:00 grep --color=auto ssh

In this case, kill the process PID 2611 to close the tunnel

[root@server1 ~]# kill -9 2611

Conclusion
Understand SSH Port Forwarding concept can be little tricky for beginners and it may take
some time to be able to use it in real time environments. The examples which I have used in
this tutorial to explain different types of forwarding are based on private network whereas
these are used also in public network with network firewalls. But the end usage would be
same so you can learn regarding the usage from these examples.