SSH Tunnel Port Forwarding

Background: There is a server that can only access the SSH service port, while other ports are inaccessible for security reasons. What should you do if you want to communicate with other ports on the server?

By using an SSH tunnel, you can communicate freely. The diagram below is very intuitive.

1 Basic Command

The basic command is as follows:

1

ssh -L local_portX:hostC:hostC_portZ username@hostB

Use the SSH tunnel between your machine and hostB to access hostC’s port Z by accessing your machine’s port X. Essentially, B accesses C and then connects with your machine through the tunnel.

2 Optional Parameters

• -N indicates no SSH login, only port forwarding.
• -f puts the SSH process in the background.
• -L indicates local port forwarding, formatted as: local_port:target_host:target_port. A command can have multiple -L parameters representing multiple rules.
• -R reverse forwarding, but the positions of the local host and C need to be swapped. For example, ssh -R 8000:localhost:8080 user@ssh_server forwards the server’s 8000 port to the local 8080 port.
• -D traffic SOCKS5 proxy.

3 Application Scenarios

3.1 Bypassing Firewalls

The background introduction. The firewall blocks some port connections from host A to host B, but host B still has some ports open to host A. If host A needs to access ports on host B blocked by the firewall, it can do so by connecting to host B via SSH + port forwarding. Note that in this case, the so-called host C is actually host B.

1

 ssh -L 5000:localhost:5000 root@MLB -p 4701 -N

Accessing your machine’s 5000 port allows you to access the server’s 5000 port, which is actually blocked by the firewall.

3.2 Network Partitioning

Host B and host C are on the same internal network, with host B able to communicate with the outside world while host C cannot. If an external host A wants to access host C, it can do so by connecting to host B via SSH + port forwarding.

1

ssh -L 22022:10.0.2.15:22 desktop_user@192.168.1.11

Host B’s IP is 192.168.1.11, and 10.0.2.15 is a virtual machine C within B. Host B executes this command to access the virtual machine’s 22 port via the local 22022 port.

3.3 Accessing Non-Public Network Ports

Host A within the internal network can access the public network but does not have a public IP; host B in the public network cannot find A but allows A to access various ports (A can directly connect to B, but not vice versa). If A wants B to access itself, it can do so by connecting to host B via SSH + port forwarding. Note that in this case, the so-called host C is actually host A.

See the -R parameter description.

3.4 Dynamic Port Forwarding

Generally used as a proxy to create a SOCKS proxy server on the local computer. The SOCKS proxy server created with the -D parameter can forward network traffic on the local computer through the SSH tunnel to the remote server, allowing applications on the local computer to access the internet via the remote server. The syntax for the -D parameter is as follows:

1

ssh -D [bind_address:]port user@ssh_server

Where bind_address indicates the bound IP address and can be omitted; port indicates the port number the SOCKS proxy server listens on. This command will start a SOCKS proxy server on the local computer and bind the server to the specified port. For example, to create a SOCKS proxy server on the local computer that forwards all network traffic through the remote server to the internet, you can use the following command:

1

ssh -D 1080 user@ssh_server

After executing this command, you can set the proxy settings of applications (such as browsers) on the local computer to 127.0.0.1:1080, thereby forwarding all network traffic through the SSH tunnel to the remote server and accessing the internet from the remote server. Please note that to protect data security, it is recommended to use an encrypted SSH connection for the SOCKS proxy.

4 Reference Article

Reference Article