SSH Port Forwarding is a powerful feature provided by SSH that allows secure forwarding of network traffic through encrypted SSH connections. It can forward local or remote port traffic to target hosts through SSH tunnels.
Three Port Forwarding Modes
1. Local Port Forwarding
Forwards local port traffic to a target accessible by the remote server.
bash# Syntax ssh -L [local_address:]local_port:target_address:target_port user@remote_server # Example: Access MySQL on remote server ssh -L 3306:localhost:3306 user@remote-server # Example: Access internal service through jump server ssh -L 8080:internal-server:80 jump-server
Use Cases:
- Access databases on remote servers
- Access internal network services through jump servers
- Local development testing of remote services
2. Remote Port Forwarding
Forwards remote server port traffic to a target accessible by the local machine.
bash# Syntax ssh -R [remote_address:]remote_port:target_address:target_port user@remote_server # Example: Let remote server access local development server ssh -R 8080:localhost:3000 user@remote-server # Example: Remote access to local database ssh -R 3306:localhost:3306 user@remote-server
Use Cases:
- Intranet penetration, allowing external access to local services
- Remote debugging of local applications
- Accessing local resources from remote servers
3. Dynamic Port Forwarding
Creates a SOCKS proxy that supports dynamic forwarding to multiple targets.
bash# Syntax ssh -D local_port user@remote_server # Example: Create SOCKS proxy ssh -D 1080 user@remote-server
Use Cases:
- Browser proxy access to internal network resources
- Unified proxy for multiple target services
- Bypass network restrictions
Advanced Configuration
Persistent Connections
bash# Use autossh to maintain connection autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -L 8080:remote:80 user@server # Or set in SSH configuration ServerAliveInterval 60 ServerAliveCountMax 3
SSH Configuration File
bash# ~/.ssh/config Host tunnel HostName remote-server.com User username LocalForward 8080 localhost:80 RemoteForward 9000 localhost:3000 DynamicForward 1080
Background Running
bash# Run port forwarding in background ssh -f -N -L 8080:remote:80 user@server # -f: Run in background # -N: Do not execute remote command
Security Considerations
-
Access Control:
- Use
GatewayPorts noto restrict to local access only - Configure firewall rules to restrict forwarded ports
- Use
AllowTcpForwardingto control forwarding permissions
- Use
-
Connection Security:
- Use strong encryption algorithms
- Regularly rotate SSH keys
- Monitor abnormal connection behavior
-
Resource Management:
- Set connection timeouts
- Limit concurrent connections
- Regularly clean up unused forwarding rules
Practical Use Cases
Development Environment Access
bash# Access development database through jump server ssh -L 3307:dev-db.internal:3306 jump-server # Then connect locally mysql -h 127.0.0.1 -P 3307 -u user -p
Internal Service Debugging
bash# Expose local development server to remote team ssh -R 8080:localhost:3000 remote-server # Team members access via http://remote-server:8080
Secure Browsing
bash# Create SOCKS proxy ssh -D 1080 corporate-server # Configure browser SOCKS5 proxy to 127.0.0.1:1080
SSH port forwarding is an essential skill for network engineers and developers, capable of securely solving complex network access requirements.