SSH (Secure Shell) port forwarding, also known as SSH tunneling, is a powerful technique that allows you to create secure channels between local and remote systems. This guide will explain the concepts and provide practical examples of SSH port forwarding.
What is SSH Port Forwarding?
SSH port forwarding creates an encrypted tunnel between your local machine and a remote server, allowing you to securely access services that might otherwise be inaccessible or insecure.
Types of SSH Port Forwarding
1. Local Port Forwarding (-L)
This is the most common type of port forwarding, where a port on your local machine is forwarded to a port on a remote server.
ssh -L local_port:destination_host:destination_port username@ssh_server
Example for MySQL access:
ssh -N -L 13306:127.0.0.1:3306 [email protected]
Key parameters explained:
-N
: Don't execute remote commands (tunnel only)-L
: Local port forwarding13306
: Local port number127.0.0.1
: Remote localhost address3306
: Remote MySQL port[email protected]
: SSH server credentials
2. Remote Port Forwarding (-R)
Allows you to forward a port from the remote server to your local machine.
ssh -R remote_port:local_host:local_port username@ssh_server
Example for sharing a local web server:
ssh -R 8080:localhost:3000 username@remote_server
3. Dynamic Port Forwarding (-D)
Creates a SOCKS proxy server that can handle multiple connections.
ssh -D local_port username@ssh_server
Example:
ssh -D 1080 username@remote_server
Common Use Cases
-
Database Access
# Access remote MySQL server securely ssh -N -L 13306:127.0.0.1:3306 username@remote_server mysql -h 127.0.0.1 -P 13306 -u user -p
-
Web Application Development
# Access remote web server locally ssh -L 8080:localhost:80 username@remote_server
-
Secure Proxy
# Create SOCKS proxy for secure browsing ssh -D 1080 username@remote_server
Best Practices
-
Use
-N
Flag
When only tunneling is needed, use the-N
flag to prevent opening a shell session:ssh -N -L 13306:127.0.0.1:3306 username@remote_server
-
Background Processing
Use-f
to run the tunnel in the background:ssh -f -N -L 13306:127.0.0.1:3306 username@remote_server
-
Compression
Enable compression with-C
for better performance with text-based protocols:ssh -C -N -L 13306:127.0.0.1:3306 username@remote_server
Troubleshooting Tips
-
Connection Refused
- Check if the target port is open and listening
- Verify firewall settings
- Ensure the service is running on the remote host
-
Permission Denied
- Verify SSH key permissions (should be 600)
- Check user permissions on both local and remote systems
-
Address Already in Use
- Check for existing tunnels using the same port
- Kill existing processes using the port:
lsof -i :port_number
Security Considerations
- Always use strong authentication methods (SSH keys preferred over passwords)
- Limit port forwarding to specific interfaces when possible
- Use
-N
flag to prevent command execution when only tunneling is needed - Regularly audit active tunnels and close unused connections
- Consider using
GatewayPorts no
in SSH server configuration
Advanced Examples
Multi-Hop Port Forwarding
ssh -L 13306:localhost:13307 user1@host1 ssh -L 13307:localhost:3306 user2@host2
Forwarding Multiple Ports
ssh -L 13306:localhost:3306 -L 15432:localhost:5432 username@remote_server
Persistent Connections
autossh -M 20000 -N -L 13306:localhost:3306 username@remote_server
Conclusion
SSH port forwarding is a versatile tool that provides secure access to remote services. By understanding these concepts and examples, you can effectively use SSH tunneling for various networking needs while maintaining security and efficiency.
Remember to always follow security best practices and properly manage your SSH connections to prevent unauthorized access to your systems.