SSH Tunnel Port Forwarding

Background: There is a server that can only be accessed through the SSH service port, and all other ports are inaccessible for security reasons. What should you do if you want to communicate with other ports on the server?

Using an SSH channel, you can communicate at will. The picture below is very intuitive.

Basic Command

The basic command is as follows:

1

ssh -L local_portX:hostC:hostC_portZ username@hostB

By using the SSH tunnel between your machine and hostB, access to hostC’s port Z is achieved by accessing port X on your machine. Essentially, B accesses C, then connects to your machine through the tunnel.

Optional Parameters

• -N means not to log in to SSH, only to forward ports.
• -f means to put the SSH process in the background.
• -L stands for local port forwarding, formatted as: local_port:target_host:target_port. A single command can have multiple -L parameters representing multiple rules.
• -R Reverse forwarding, but the position of local host and C need to be swapped. For example, ssh -R 8000:localhost:8080 user@ssh_server forwards port 8000 on the server to local port 8080.
• -D Traffic through a SOCKS5 proxy.

Application Scenarios

Bypassing Firewalls

As introduced in the background. A firewall prevents hostA from connecting to some ports on hostB, but hostB still has some ports open to hostA. In this case, if hostA needs to access ports on hostB that are blocked by the firewall, it can do so by SSH connection to hostB + port forwarding. Note that the so-called hostC is actually hostB.

1

ssh -L 5000:localhost:5000 root@MLB -p 4701 -N

By accessing port 5000 on your machine, you can access port 5000 on the server, even though it is blocked by the firewall.

Network Segmentation

HostB and hostC are in the same LAN, where hostB can communicate with the outside world, but hostC cannot. In this case, hostA, not in the LAN, if it wants to access hostC, can do so by SSH connection to hostB + port forwarding.

1

ssh -L 22022:10.0.2.15:22 desktop_user@192.168.1.11

The IP of hostB is 192.168.1.11, and 10.0.2.15 is a virtual machine C within B. Executing this command on hostB allows access to the virtual machine’s port 22 through local port 22022.

Accessing Non-Public Ports

HostA within a LAN can access the public network but does not have a public IP; hostB in the public network cannot find A, but opens access to various ports for A (A can connect to B directly, but not vice versa). In this case, if A wants B to access itself, it can do so by SSH connection to hostB + port forwarding. Note that the so-called hostC is actually hostA.

See the -R parameter description.

Dynamic Port Forwarding

Generally used as a proxy, it serves to create a SOCKS proxy server on a local computer. The SOCKS proxy server created by the -D parameter can forward network traffic from the local computer through an SSH tunnel to a remote server, thereby enabling applications on the local computer to access the internet via the remote server. The syntax for the -D parameter is as follows:

1

ssh -D [bind_address:]port user@ssh_server

Here, bind_address denotes the IP address to bind to, which can be omitted; port refers to the port number that the SOCKS proxy server listens on. This command will launch a SOCKS proxy server on the local computer and bind it to the specified port. For instance, if you want to create a SOCKS proxy server on your local computer to forward all network traffic via a remote server to the internet, you can use the following command:

1

ssh -D 1080 user@ssh_server

After executing this command, you can set the proxy settings of applications (e.g., browsers) on your local computer to 127.0.0.1:1080, thereby forwarding all network traffic through the SSH tunnel to the remote server, and accessing the internet from the remote server. Please note, to ensure data security, it is recommended to use an encrypted SSH connection for the SOCKS proxy.

Reference Article

Reference Article