Port Forwarding via SSH

4 min readMay 23, 2020

This article explains Port forwarding via SSH also called SSH tunneling. However, before we begin, check out my article on SSH For Dummies if you don’t have any idea about what SSH is and how does it work.

Introduction

Port forwarding via SSH creates a secure connection between a local computer and a remote machine through which data can be transferred. Because the connection is encrypted, the application data traffic is directed inside the encrypted SSH connection so that it cannot be intercepted while it is in transit.

SSH tunneling is useful for transmitting information that uses an unencrypted protocol as it enables adding a layer of network security to applications that do not support encryption which protects confidentiality and integrity, and authenticates communicating parties.

The secure connection over the internet is established between an SSH client and an SSH server (also called a Bastion server)

The SSH connection is used by the application on the client machine to connect to the database on the server bastion. With tunneling enabled, the application connects to a port on the client machine that the SSH client listens on. The SSH client then forwards the application requests over its encrypted tunnel to the server bastion which then connects to the actual database and gets the data needed to be sent back to the application on the client side.

Types of Port Forwarding

There are three types of port forwarding with SSH:

Local port forwarding : connections from the SSH client are forwarded via the SSH server, then to a destination server.
Remote port forwarding : connections from the SSH server are forwarded via the SSH client, then to a destination server
Dynamic port forwarding : connections from various programs are forwarded via the SSH client, then via the SSH server, and finally to several destination servers.

Port Forwarding Use Cases

I will focus in this article on Local and Dynamic Port Forwarding as they are the most commonly used. They are commonly used for :

Tunneling sessions and file transfers
Connecting to a service on an internal network from the outside
Connecting to a remote file share over the Internet
Bypass a company firewall that blocks the web access.

Remote port forwarding is less common. For example, remote port forwarding lets you connect from your SSH server to a computer on your company’s intranet.

Local Port Forwarding Setup

Assuming you are behind a restrictive firewall, or blocked by an outgoing firewall from accessing an Grafana application running on port 3000 on your remote server. You can forward a local port (e.g 8080) which you can then use to access the application locally as follows.

$ ssh -f -N ubuntu@remote-server.com -L 8080: remote-server.com:3000

-L defines the port forwarded to the remote host and remote port.

-N means do not execute a remote command, you will not get a shell

-f switch instructs ssh to run in the background.

Now, on your local machine, open a browser, instead of accessing the remote application using the address remote-server.com:3000, you can simply use localhost:8080 as shown below.

Dynamic Port Forwarding Setup

Dynamic port forwarding sets up your machine as a SOCKS proxy server which listens on port 1080, by default.You can enable dynamic port forwarding using the -D option.

SOCKS is an Internet protocol for programs to request any Internet connection through a proxy server (SSH in our case). Each program that uses the proxy server needs to be configured specifically, and reconfigured when you stop using the proxy server.

The following command will start a SOCKS proxy on port 8080 allowing you to connect to the remote host.

$ ssh ubuntu@remote-server.com -f -N -D 8080

From now on, you can make applications on your machine use this SSH proxy server by editing their settings and configuring them to use it to connect to your remote server. For example, you can configure Firefox’s proxy setting to use this SSH Tunnel as described below, so that all HTTP/HTTPS traffic will be redirected to the remote server and then redirected back to the client.