Introduction
SSH port forwarding is often referred to as SSH tunneling, and the two terms are used interchangeably.
The encrypted SSH ‘tunnel’ serves as a vessel to transfer assorted data and deliver it safely to the remote system. This method is regularly used to circumvent standard firewall security protocols. Port-forwarding is a component of most SSH client and server programs.
Find out how to use OpenSSH for Linux, and the Windows PuTTY client to enable local, remote, or dynamic SSH port forwarding.
Prerequisites
- An SSH client/server of your choice (OpenSSH or PuTTY)
- A reachable IP address or name of the remote/local server
How to Use Local Port Forwarding
Valuable network resources do not generally allow remote SSH access. This would be a severe limitation in a modern distributed environment. Organizations usually solve this issue by setting up an intermediary SSH ‘jump’ server to accept remote SSH connections.
Your local SSH client establishes a connection with the remote SSH server. The connection is then forwarded to a resource within the trusted internal network. SSH connections are established, and security efforts can concentrate on the intermediary SSH server rather than individual resources in a network.
Local Port Forwarding with OpenSSH
To use SSH tunneling in Linux, you need to provide your client with the source and destination port numbers, as well as the location of the destination server. The location can either be an IP address or a hostname.
The basic syntax for a local port forward command is straightforward:
ssh -L local_port:destination_server_ip:remote_port ssh_server_hostname
⦁ ssh
– Starts the SSH client program on the local machine and establishes a secure connection to the remote SSH server.
⦁ -L local_port:destination_server_ip:remote_port
– The local port on the local client is being forwarded to the port of the destination remote server.
⦁ ssh_server_hostname
– This element of the syntax represents the hostname or IP address of the remote SSH server.
A practical example of an SSH port forwarding command would take the following form:
ssh –L 5901:188.17.0.5:4492 pnap@ssh.server.com
In the example above, all traffic sent to port 5901 on your local host is being forwarded to port 4492 on the remote server located at 188.17.0.5.
Local Port Forwarding with PuTTY
PuTTY is a user-friendly SSH client for Windows. Configure local SSH tunneling by following these steps:
- When you start the PuTTY application, the Sessions screen allows you to enter the hostname or IP address and port number of the destination SSH server (Example: pnap@ssh.server.com and port number 22).
- Use the Category list on the left to navigate to Connection > SSH > Tunnels.
- Select Local to define the type of SSH port forward.
- Enter your local port number in the Source port field.
- Type the destination address and port number in the Destination field. Use the following format: destination_server_ip:remote_port.
(e.g., Source port: 5901, Destination: 188.17.0.5:4492) - Once you verify that the information you entered is correct, select Add.
- The parameters for the connection are now all set. The Open option initiates the local SSH port-forward.
Note: If you are an Ubuntu user, refer to our tutorial How to Install PuTTY on Ubuntu.
How to Use Remote Port Forwarding
The purpose of remote forwarding is to allow a remote server to access resources on your local machine. Remote forwarding represents an inversion of the local forwarding process we explored previously.
Remote Port Forwarding with OpenSSH
The basic syntax for a remote port forward command is as follows:
ssh -R remote_port:localhost:local_port ssh_server_hostname
In this example, we have instructed the remote server ssh.server.com
to forward any connections directed at port 8080 to the local resource listening on port 5534.
ssh –R 8080:localhost:5534 pnap@ssh.server.com
Users with access to the SSH server are now able to access resources on your local machine.
Remote Port Forwarding with PuTTY
- Start the PuTTY application. The initial Sessions screen allows you to specify the IP address and port number of the destination SSH server.
- Use the Category list on the left to navigate to Connection > SSH > Tunnels.
- Select Remote to define the type of SSH port forward.
- Enter the remote port number in the Source port field (e.g., 8080).
- Type the destination address and port number in the Destination field using the following format localhost:local_port (e.g., localhost:5534).
- Once you verify that the information you entered is correct, click Add.
- Select Open to establish a remote SSH port-forward.
In the example above, users and applications can connect to port 8080 on the remote SSH server and then access the local machine using port 5534.
Note: Learn how to forward ports with iptables in Linux.
How To Use Dynamic Port Forwarding
Dynamic port forwarding is not as well-known as the previous two options. Most users find it easier to use local port forwarding to achieve similar results. Dynamic port forwarding can provide more flexibility as you no longer need to use a predefined remote port and server.
Note: When using dynamic port forwarding, it’s necessary to configure individual programs to use the SOCKS proxy server.
Dynamic Port Forwarding with OpenSSH
By using the ssh
command and the –D
argument, you can use your SSH client to create a SOCKS proxy on your local machine.:
ssh –D local_port ssh_server_hostname
The following command opens a SOCKS proxy at port 5534 on your local machine:
ssh –D 5534 pnap@ssh.server.com
You are now able to configure a local resource, like a browser, to use port 5534. All traffic originating from that resource is directed through the SSH connections established for the defined port.
Dynamic Port Forwarding with PuTTY
- Enter the hostname or IP address and port number of the destination SSH server on the main PuTTY Sessions screen.
- Use the Category list to navigate to Connection > SSH > Tunnels.
- Select Dynamic to define the type of SSH port forward.
- Enter the dynamic port number in the Source port field (e.g., 5534). The SOCKS proxy server on your local machine is going to use this port to dynamically forward traffic.
- Once you are sure that the information you entered is correct, click Add.
- The parameters for the connection are now all set. Select the Open option to start dynamic SSH port-forwarding.
For dynamic forwarding to work, you would need to configure and enable each application for the SOCKS proxy server.
Note: If you are working with Kubernetes, you might find our guide about kubectl port-forward useful.
Conclusion
This tutorial presented three different types of SSH port forwarding, the commands you need to use, and how to implement them on your system.
SSH port forwarding is a powerful feature, and it needs to be carefully administered. High-security standards should be maintained throughout the entire process.