SSH Port Forwarding How To
08 Jun 2011 by Misha Dragojevic
SSH allows to forward traffic from one machine to another to be encrypted even if native connection for that application does not support encryption. This process is called ssh port forwarding or ssh port tunneling. There are two type of port forwarding
- Local Port Forwarding
- Remote Port Forwarding
Local Port Forwarding
In this scenario a port is opened on client side and ssh process on client side listens for traffic. If any traffic is received on local port that traffic is encrypted by ssh and sent to ssh process on server. ssh process on server decrypts the traffic and forwards it to port as configured in command line. This is how it works
ssh -L 8080:localhost:80 server.example.com
When above command is executed on client and client is successfully authenticated with server.example.com then ssh process on client starts listening on port 8080. If any traffic is generated by client for port 8080 then ssh process on client encrypts that traffic and sends it to ssh process on server.example.com by using ssh connection established so protecting it from outside snooping. ssh process on server decrypts the traffic and sends it to “localhost” port 80.
By using this method two things were accomplished. First traffic to port 80 on server.example.com was encrypted and second, port 80 need not be opened from internet to server.example.com.
Here is another example
ssh -L 8143:192.168.0.100:143 server.example.com
In this case any traffic sent to port 8143 on client machine will be encrypted and sent to server.example.com. Server in turn will decrypt this traffic and forward it to 192.168.0.100 port 143. In this example we are assuming that server.example.com can reach 192.168.0.100 on port 143
Note: If user is logged in as regular user on client then user can open local port with number greater than 1024 only because opening a port number less than 1024 is reserved for root user only. Only client can send traffic to port opened on client side. If you want everyone on client network to be able to send traffic to client for sending it to server then following format need to be used:
ssh -L :8080:localhost:80 server.example.com
In this example client will accept traffic on all interfaces for port 8080. You can also mention specific IP to restrict traffic to one particular network in case client has multiple network interfaces.
Remote Port Forwarding
This is opposite of Local Port Forwarding discussed above. In this scenario a port is opened on server side and ssh process on server side listens for traffic. If any traffic is received on port that traffic is encrypted by ssh and sent to ssh process on client. ssh process on client decrypts the traffic and forwards it to port as configured in command line. This is how it works:
ssh -R 8080:localhost:80 server.example.com
When above command is executed on client and client is successfully authenticated with server.example.com then ssh process on server starts listening on port 8080. If any traffic is generated by server for port 8080 then ssh process on server encrypts that traffic and sends it to ssh process on client by using ssh connection established so protecting it from outside snooping. ssh process on client decrypts the traffic and sends it to “localhost” port 80.
By using this method two things were accomplished. First traffic to port 80 on server.example.com was encrypted and second, port 80 need not be opened from internet to client.
Here is another example:
ssh -R 8143:192.168.0.100:143 server.example.com
In this case any traffic sent to port 8143 on server machine will be encrypted and sent to client. Client in turn will decrypt this traffic and forward it to 192.168.0.100 port 143. In this example we are assuming that client can reach 192.168.0.100 on port 143
Note: If user logs in as regular user on server then user can open remote port with number greater than 1024 only because opening a port number less than 1024 is reserved for root user only. Only server can send traffic to port opened on server side. If you want everyone on server network to be able to send traffic to server for sending it to client then following format need to be used:
ssh -R :8080:localhost:80 server.example.com
In this example server will accept traffic on all interfaces for port 8080. You can also mention specific IP to restrict traffic to one particular network in case server has multiple network interfaces.