Configure SSH Local Port Forwarding in Linux

0
318

Welcome to our guide on how to configure SSH Local Port Forwarding in Linux. In order to understand how SSH tunneling or simply put, port forwarding, works we are going to see the example usage in this guide.

Creating SSH Public and Private Key...
Creating SSH Public and Private Key in Linux / Ubuntu

There are three types of SSH Tunneling;

  • local port forwarding: This involves forwarding traffic on a local port on your local machine to a specific port on remote server. The local SSH client listens for a connection on a specific port and when it receives a connection, it tunnels it to SSH server which then connects to a specific destination port.
  • remote port forwarding: This allows connection from a remote machine to a local server.
  • dynamic port forwarding: This is a type of forwarding which allows communications to happen over a wide range of ports rather than a single port as in the case for local or remote port forwarding.

In this tutorial, we will focus only on configuring SSH local port forwarding.

Configure SSH Local Port Forwarding in Linux

Some of the typical use cases for local ssh port forwarding include;

  • Tunneling sessions and file transfers through jump servers
  • Connecting to a service on an internal network from the outside
  • Connecting to a remote file share over the Internet

Local SSH port forwarding can be initiated by passing option -L to ssh using the syntax below;

ssh -L [bind_address:]port:host:hostport jump-server

Where;

  • [bind_address:] is an optional local system IP address to bind the local connection to.
  • port: local port to listen for connection on the local host
  • host: remote host to forward the connections to
  • hostport: remote local port on the remote host to forward connections to.
  • jump-server: is the server that basically can connect to the remote host via the specified remote local port. It can be public facing IP address of the same server running a local service to connect to remotely.

Scenario 1

Assume that you have a VNC server started on localhost with (vncserver -localhost) on remote host, 192.168.58.92, then in order for you to remotely connect to the local VNC server on this host, you need to forward the traffic on a specific port from your host to the local VNC server port via the host IP, 192.168.58.92. In this case, the SSH on the host 192.168.58.92 should be accessible on the IP 192.168.58.92 for you to be able to forward the traffic.

Such a command would be used;

ssh -L 5901:localhost:5908 [email protected]

This command forwards all traffic to port port 5901 (on all interfaces) on your host to port 5908 on the remote localhost via the 192.168.58.92 host.

You can also bind your host port to a specific IP;

ssh -L 127.0.0.1:5901:localhost:5908 [email protected]

Scenario 2

On the remote host 192.168.58.38, we have a web server which can only be allowed to be accessed from the host 192.168.58.21.

So, how can you be able to access the remote web service on host 192.168.58.38 on your local machine via the jump server 192.168.58.21?

The only way is by creating a local port on your machine and forward the traffic to that port to the web server port on host 192.168.58.38 via 192.168.58.21;

ssh -L 127.0.0.1:8080:192.168.58.38:80 [email protected]

The command above opens port 8080 on my local machine and forwards all traffic to this port to web service port 80 on host 192.168.58.38 via SSH on 192.168.58.21.

[email protected]'s password: 
Linux debian11 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Web console: https://debian11:9090/ or https://10.0.2.15:9090/

Last login: Sat Apr  2 04:03:29 2022 from 192.168.58.1
[email protected]:~$ 

You can also configure SSH session to run on background by using option -f and disable remote command execution, -N.

ssh -f -N -L 127.0.0.1:8080:192.168.58.38:80 [email protected]

Or just;

ssh -fNL 127.0.0.1:8080:192.168.58.38:80 [email protected]

Confirm the port is opened on my local machine;

ss -altnp | grep :8080
LISTEN    0         128              127.0.0.1:8080             0.0.0.0:*        users:(("ssh",pid=343993,fd=5))

So if you access http://127.0.0.1:8080/ on your browser, you should be able to access the Web service on the remote host.

Configure SSH Local Port Forwarding Using SSH Config File

With all said above, you can make your life easy by configuring SSH local port forwarding using SSH config file, either ~/.ssh/config for user specific or /etc/ssh/ssh_config for global settings.

The local port forwarding using SSH config file can be done using the sample configs;

Host    webserver
        User kifarunix
        HostName 192.168.58.21
        LocalForward 127.0.0.1:8080 192.168.58.38:80

If you have such settings, then to establish the tunnel/local port forwarding simply run;

ssh -fN webserver

Enter the login credentials for SSH.

You can confirm port opening;

lsof -i :8080
COMMAND    PID    USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
ssh     404392 mibeyki    5u  IPv6 27604450      0t0  TCP ip6-localhost:http-alt (LISTEN)
ssh     404392 mibeyki    6u  IPv4 27604451      0t0  TCP localhost:http-alt (LISTEN)

Read man ssh_config and check LocalForward.

And that is it on how to configure SSH local port forwarding in Linux.

Read more on SSH Tunneling

Other Tutorials

Install and Use ClusterSSH on Ubuntu 22.04/Ubuntu 20.04

Setup Secure SSH Access on Linux Servers using Teleport

LEAVE A REPLY

Please enter your comment!
Please enter your name here