Setting Up Port Forwarding Over SSH

SSH port forwarding creates an encrypted SSH tunnel between a client and a server system.

Three types of SSH port forwarding are available:

• Local Port Forwarding: Forwards a port from the client to the SSH server and then to the destination port.
• Dynamic Port Forwarding: Creates a SOCKS proxy server for communications across a range of ports.
• Reverse Port Forwarding: Forwards a port from the server to the client and then to the destination port.

Why Use Port Forwarding?

Port forwarding lets remote servers to access devices within a private local-area network (LAN) and conversely.

You can use port forwarding to access a service that's not exposed to the public network interface. You might set up a local port forward to access a service (such as a database) on a remote server. The database on the server isn't exposed to the public network interface, but you could create a tunnel from a local machine to the internal database server port. You can then connect to localhost and all traffic would get forwarded across the SSH tunnel to the remote database.

You can use reverse port forwarding to give someone outside the local network access to an internal service. For example, you might want to show a fellow developer a web application that you have developed on the local machine. Because the machine doesn't have a public IP, the other developer can't access the application over the internet. However, if you have access to a remote SSH server, you can set up reverse port forwarding to provide the developer access.

Server-side Configuration

Edit the /etc/ssh/sshd_config file to configure SSH port forwarding. On the server, at a minimum verify the following parameters:

• AllowTCPForwarding

  Allows TCP port forwarding. When omitted, the default is yes which enables single TCP port forwards and SOCKS proxying

• AllowStreamLocalForwarding

  Allows forwarding of UNIX domain sockets. When omitted, the default is yes.

Local Port Forwarding

To create a direct TCP forward tunnel, use the ssh -L option:

ssh -L [bind_address:]port:destination:destination_port [user@]remote_ssh_server

• bind_address is optional and assigns a local interface to listen for connections. If omitted, ssh only binds on the loopback interfaces. To bind on all interfaces, you can use “0.0.0.0” or “::”.
• port - The local port number. You can use any port number greater than 1024.
• destination - The IP or hostname of the destination machine. If the destination is on the remote server itself, you can use localhost.
• destination_port - Port on the destination machine.
• [user@]remote_ssh_server - The remote SSH user and server IP address.

For example:

ssh -L 8080:localhost:8888 user@192.168.1.20

This would open an SSH connection to the remote server at 192.168.1.20 and open a tunnel to the localhost port 8888.

Dynamic Port Forwarding

Use dynamic port forwarding to have the SSH client listen on a specified binding port and act as a SOCKS proxy server. You don't need to specify a destination host as all incoming connections on the specified port forward through the tunnel to a dynamic port on the destination machine.

To create a dynamic port forward, use the ssh -D option.

ssh -D [bind_address:]port [user@]remote_ssh_server

Reverse Port Forwarding

A reverse tunnel forwards any connection received on the remote SSH server to the local client network.

To create a reverse port forward, use the ssh -R option.

For local port reverse forwarding:

ssh -R [bind_address:]port:destination:destination_port [user@]remote_ssh_server

For dynamic port reverse forwarding:

ssh -R [bind_address:]port [user@]remote_ssh_server