Introduction

SSH port forwarding is often referred to as SSH tunneling, and the two terms are used interchangeably.

The encrypted SSH ‘tunnel’ serves as a vessel to transfer assorted data and deliver it safely to the remote system. This method is regularly used to circumvent standard firewall security protocols. Port-forwarding is a component of most SSH client and server programs.

Find out how to use OpenSSH for Linux, and the Windows PuTTY client to enable local, remote, or dynamic SSH port forwarding.

SSH Port Forwarding used to securly access remote machines.

Prerequisites

  • An SSH client/server of your choice (OpenSSH or PuTTY)
  • A reachable IP address or name of the remote/local server

How to Use Local Port Forwarding

Valuable network resources do not generally allow remote SSH access. This would be a severe limitation in a modern distributed environment. Organizations usually solve this issue by setting up an intermediary SSH ‘jump’ server to accept remote SSH connections.

Your local SSH client establishes a connection with the remote SSH server. The connection is then forwarded to a resource within the trusted internal network. SSH connections are established, and security efforts can concentrate on the intermediary SSH server rather than individual resources in a network.

Local Port Forwarding with OpenSSH

To use SSH tunneling in Linux, you need to provide your client with the source and destination port numbers, as well as the location of the destination server. The location can either be an IP address or a hostname.

The basic syntax for a local port forward command is straightforward:

ssh -L local_port:destination_server_ip:remote_port ssh_server_hostname

⦁    ssh – Starts the SSH client program on the local machine and establishes a secure connection to the remote SSH server.

⦁    -L local_port:destination_server_ip:remote_port – The local port on the local client is being forwarded to the port of the destination remote server.

⦁    ssh_server_hostname – This element of the syntax represents the hostname or IP address of the remote SSH server.

A practical example of an SSH port forwarding command would take the following form:

ssh –L 5901:188.17.0.5:4492 pnap@ssh.server.com

In the example above, all traffic sent to port 5901 on your local host is being forwarded to port 4492 on the remote server located at 188.17.0.5.

Local Port Forwarding with PuTTY

PuTTY is a user-friendly SSH client for Windows. Configure local SSH tunneling by following these steps:

  1. When you start the PuTTY application, the Sessions screen allows you to enter the hostname or IP address and port number of the destination SSH server (Example: pnap@ssh.server.com and port number 22).

Add hostname of the SSH server you want to access remotley.

  1. Use the Category list on the left to navigate to Connection > SSH > Tunnels.
  2. Select Local to define the type of SSH port forward.

Steps to complete in order to set up SSH tunnelling in PuTTY.

  1. Enter your local port number in the Source port field.
  2. Type the destination address and port number in the Destination field. Use the following format: destination_server_ip:remote_port.
    (e.g., Source port: 5901, Destination: 188.17.0.5:4492)
  3. Once you verify that the information you entered is correct, select Add.
  4. The parameters for the connection are now all set. The Open option initiates the local SSH port-forward.

How to Use Remote Port Forwarding

The purpose of remote forwarding is to allow a remote server to access resources on your local machine. Remote forwarding represents an inversion of the local forwarding process we explored previously.

Remote Port Forwarding with OpenSSH

The basic syntax for a remote port forward command is as follows:

ssh -R remote_port:localhost:local_port ssh_server_hostname

In this example, we have instructed the remote server ssh.server.com to forward any connections directed at port 8080 to the local resource listening on port 5534.

ssh –R 8080:localhost:5534 pnap@ssh.server.com

Users with access to the SSH server are now able to access resources on your local machine.

Remote Port Forwarding with PuTTY

  1. Start the PuTTY application. The initial Sessions screen allows you to specify the IP address and port number of the destination SSH server.

Add hostname of the SSH server for the remote ssh tunneling session.

  1. Use the Category list on the left to navigate to Connection > SSH > Tunnels.
  2. Select Remote to define the type of SSH port forward.

Steps you need to take to establish a remote SSH tunneling connection.

  1. Enter the remote port number in the Source port field (e.g., 8080).
  2. Type the destination address and port number in the Destination field using the following format localhost:local_port (e.g., localhost:5534).
  3. Once you verify that the information you entered is correct, click Add.
  4. Select Open to establish a remote SSH port-forward.

In the example above, users and applications can connect to port 8080 on the remote SSH server and then access the local machine using port 5534.

How To Use Dynamic Port Forwarding

Dynamic port forwarding is not as well-known as the previous two options. Most users find it easier to use local port forwarding to achieve similar results. Dynamic port forwarding can provide more flexibility as you no longer need to use a predefined remote port and server.


Note: When using dynamic port forwarding, it’s necessary to configure individual programs to use the SOCKS proxy server.


Dynamic Port Forwarding with OpenSSH

By using the ssh command and the –D argument, you can use your SSH client to create a SOCKS proxy on your local machine.:

ssh –D local_port ssh_server_hostname

The following command opens a SOCKS proxy at port 5534 on your local machine:

ssh –D 5534 pnap@ssh.server.com

You are now able to configure a local resource, like a browser, to use port 5534. All traffic originating from that resource is directed through the SSH connections established for the defined port.

Dynamic Port Forwarding with PuTTY

  1. Enter the hostname or IP address and port number of the destination SSH server on the main PuTTY Sessions screen.

Add hostname of the SSH server for dynamic port forwarding.

  1. Use the Category list to navigate to Connection > SSH > Tunnels.
  2. Select Dynamic to define the type of SSH port forward.

Where to find the options to establish dynamic port forwarding.

  1. Enter the dynamic port number in the Source port field (e.g., 5534). The SOCKS proxy server on your local machine is going to use this port to dynamically forward traffic.
  2. Once you are sure that the information you entered is correct, click Add.
  3. The parameters for the connection are now all set. Select the Open option to start dynamic SSH port-forwarding.

For dynamic forwarding to work, you would need to configure and enable each application for the SOCKS proxy server.

Conclusion

This tutorial presented three different types of SSH port forwarding, the commands you need to use, and how to implement them on your system.

SSH port forwarding is a powerful feature, and it needs to be carefully administered. High-security standards should be maintained throughout the entire process.


Next you should also read