Welcome to our guide on how to configure SSH Local Port Forwarding in Linux. In order to understand how SSH tunneling or simply put, port forwarding, works, we are going to see the example usage in this guide.<\/p>\n\n\n\n
There are three types of SSH Tunneling;<\/p>\n\n\n\n
local port forwarding<\/code>: This involves forwarding traffic on a local port on your local machine to a specific port on remote server. The local SSH client listens for a connection on a specific port and when it receives a connection, it tunnels it to SSH server which then connects to a specific destination port.<\/li>\n\n\n\nremote port forwarding<\/code>: This allows connection from a remote machine to a local server.<\/li>\n\n\n\ndynamic port forwarding<\/code>: This is a type of forwarding which allows communications to happen over a wide range of ports rather than a single port as in the case for local or remote port forwarding.<\/li>\n<\/ul>\n\n\n\nIn this tutorial, we will focus only on configuring SSH local port forwarding.<\/p>\n\n\n\n
Configure SSH Local Port Forwarding in Linux<\/h2>\n\n\n\n
Some of the typical use cases for local ssh port forwarding include;<\/p>\n\n\n\n
\n- Tunneling sessions and file transfers through jump servers<\/em><\/li>\n\n\n\n
- Connecting to a service on an internal network from the outside<\/em><\/li>\n\n\n\n
- Connecting to a remote file share over the Internet<\/em><\/li>\n<\/ul>\n\n\n\n
Local SSH port forwarding can be initiated by passing option -L<\/code><\/strong> to ssh using the syntax below;<\/p>\n\n\n\nssh -L [bind_address:]port:host:hostport jump-server<\/code><\/pre>\n\n\n\nWhere;<\/p>\n\n\n\n
\n[bind_address:]<\/code><\/strong> is an optional local system IP address to bind the local connection to.<\/li>\n\n\n\nport<\/code><\/strong>: local port to listen for connection on the local host<\/li>\n\n\n\nhost<\/code><\/strong>: remote host to forward the connections to<\/li>\n\n\n\nhostport<\/strong><\/code>: remote local port on the remote host to forward connections to.<\/li>\n\n\n\njump-server<\/code><\/strong>: is the server that basically can connect to the remote host via the specified remote local port. It can be public facing IP address of the same server running a local service to connect to remotely.<\/li>\n<\/ul>\n\n\n\nScenario 1<\/h3>\n\n\n\n
Assume that you have a VNC server started on localhost with (vncserver -localhost) on remote host, 192.168.58.92, then in order for you to remotely connect to the local VNC server on this host, you need to forward the traffic on a specific port from your host to the local VNC server port via the host IP, 192.168.58.92. In this case, the SSH on the host 192.168.58.92 should be accessible on the IP 192.168.58.92 for you to be able to forward the traffic.<\/p>\n\n\n\n
Such a command would be used;<\/p>\n\n\n\n
ssh -L 5901:localhost:5908 user@192.168.58.92<\/code><\/pre>\n\n\n\nThis command forwards all traffic to port port 5901 (on all interfaces) on your host to port 5908 on the remote localhost via the 192.168.58.92 host.<\/p>\n\n\n\n
You can also bind your host port to a specific IP;<\/p>\n\n\n\n
ssh -L 127.0.0.1:5901:localhost:5908 user@192.168.58.92<\/code><\/pre>\n\n\n\nScenario 2<\/h3>\n\n\n\n
On the remote host 192.168.58.38, we have a web server which can only be allowed to be accessed from the host 192.168.58.21.<\/p>\n\n\n\n
So, how can you be able to access the remote web service on host 192.168.58.38 on your local machine via the jump server 192.168.58.21?<\/p>\n\n\n\n
The only way is by creating a local port on your machine and forward the traffic to that port to the web server port on host 192.168.58.38 via 192.168.58.21;<\/p>\n\n\n\n
ssh -L 127.0.0.1:8080:192.168.58.38:80 kifarunix@192.168.58.21<\/code><\/pre>\n\n\n\nThe command above opens port 8080 on my local machine and forwards all traffic to this port to web service port 80 on host 192.168.58.38 via SSH on 192.168.58.21.<\/p>\n\n\n\n
\nkifarunix@192.168.58.21's password: \nLinux debian11 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nWeb console: https:\/\/debian11:9090\/ or https:\/\/10.0.2.15:9090\/\n\nLast login: Sat Apr 2 04:03:29 2022 from 192.168.58.1\nkifarunix@debian11:~$ \n<\/code><\/pre>\n\n\n\nYou can also configure SSH session to run on background by using option -f<\/code><\/strong> and disable remote command execution, -N<\/code><\/strong>.<\/p>\n\n\n\nssh -f -N -L 127.0.0.1:8080:192.168.58.38:80 kifarunix@192.168.58.21<\/code><\/pre>\n\n\n\nOr just;<\/p>\n\n\n\n
ssh -fNL 127.0.0.1:8080:192.168.58.38:80 kifarunix@192.168.58.21<\/code><\/pre>\n\n\n\nConfirm the port is opened on my local machine;<\/p>\n\n\n\n
ss -altnp | grep :8080<\/code><\/pre>\n\n\n\nLISTEN 0 128 127.0.0.1:8080 0.0.0.0:* users:((\"ssh\",pid=343993,fd=5))<\/code><\/pre>\n\n\n\nSo if you access http:\/\/127.0.0.1:8080\/<\/code><\/strong> on your browser, you should be able to access the Web service on the remote host.<\/p>\n\n\n\nConfigure SSH Local Port Forwarding Using SSH Config File<\/h3>\n\n\n\n
With all said above, you can make your life easy by configuring SSH local port forwarding using SSH config file, either ~\/.ssh\/config<\/code><\/strong> for user specific or \/etc\/ssh\/ssh_config<\/code><\/strong> for global settings.<\/p>\n\n\n\nThe local port forwarding using SSH config file can be done using the sample configs;<\/p>\n\n\n\n
\nHost webserver\n User kifarunix\n HostName 192.168.58.21\n LocalForward 127.0.0.1:8080 192.168.58.38:80\n<\/code><\/pre>\n\n\n\nIf you have such settings, then to establish the tunnel\/local port forwarding simply run;<\/p>\n\n\n\n
ssh -fN webserver<\/code><\/pre>\n\n\n\nEnter the login credentials for SSH.<\/p>\n\n\n\n
You can confirm port opening;<\/p>\n\n\n\n
lsof -i :8080<\/code><\/pre>\n\n\n\nCOMMAND PID USER FD TYPE DEVICE SIZE\/OFF NODE NAME\nssh 404392 mibeyki 5u IPv6 27604450 0t0 TCP ip6-localhost:http-alt (LISTEN)\nssh 404392 mibeyki 6u IPv4 27604451 0t0 TCP localhost:http-alt (LISTEN)<\/code><\/pre>\n\n\n\nRead man ssh_config<\/code><\/strong> and check LocalForward<\/code><\/strong>.<\/p>\n\n\n\nAnd that is it on how to configure SSH local port forwarding.<\/p>\n\n\n\n
Read more on SSH Tunneling<\/a><\/p>\n\n\n\nOther Tutorials<\/h3>\n\n\n\n
Install and Use ClusterSSH on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n