Welcome to our guide on how to configure SSH Local Port Forwarding in Linux. In order to understand how SSH tunneling or simply put, port forwarding, works, we are going to see the example usage in this guide.
There are three types of SSH Tunneling;
local port forwarding: This involves forwarding traffic on a local port on your local machine to a specific port on remote server. The local SSH client listens for a connection on a specific port and when it receives a connection, it tunnels it to SSH server which then connects to a specific destination port.remote port forwarding: This allows connection from a remote machine to a local server.dynamic port forwarding: This is a type of forwarding which allows communications to happen over a wide range of ports rather than a single port as in the case for local or remote port forwarding.
In this tutorial, we will focus only on configuring SSH local port forwarding.
Configure SSH Local Port Forwarding in Linux
Some of the typical use cases for local ssh port forwarding include;
- Tunneling sessions and file transfers through jump servers
- Connecting to a service on an internal network from the outside
- Connecting to a remote file share over the Internet
Local SSH port forwarding can be initiated by passing option -L to ssh using the syntax below;
ssh -L [bind_address:]port:host:hostport jump-serverWhere;
[bind_address:]is an optional local system IP address to bind the local connection to.port: local port to listen for connection on the local hosthost: remote host to forward the connections tohostport: remote local port on the remote host to forward connections to.jump-server: is the server that basically can connect to the remote host via the specified remote local port. It can be public facing IP address of the same server running a local service to connect to remotely.
Scenario 1
Assume that you have a VNC server started on localhost with (vncserver -localhost) on remote host, 192.168.58.92, then in order for you to remotely connect to the local VNC server on this host, you need to forward the traffic on a specific port from your host to the local VNC server port via the host IP, 192.168.58.92. In this case, the SSH on the host 192.168.58.92 should be accessible on the IP 192.168.58.92 for you to be able to forward the traffic.
Such a command would be used;
ssh -L 5901:localhost:5908 [email protected]This command forwards all traffic to port port 5901 (on all interfaces) on your host to port 5908 on the remote localhost via the 192.168.58.92 host.
You can also bind your host port to a specific IP;
ssh -L 127.0.0.1:5901:localhost:5908 [email protected]Scenario 2
On the remote host 192.168.58.38, we have a web server which can only be allowed to be accessed from the host 192.168.58.21.
So, how can you be able to access the remote web service on host 192.168.58.38 on your local machine via the jump server 192.168.58.21?
The only way is by creating a local port on your machine and forward the traffic to that port to the web server port on host 192.168.58.38 via 192.168.58.21;
ssh -L 127.0.0.1:8080:192.168.58.38:80 [email protected]The command above opens port 8080 on my local machine and forwards all traffic to this port to web service port 80 on host 192.168.58.38 via SSH on 192.168.58.21.
[email protected]'s password: Linux debian11 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Web console: https://debian11:9090/ or https://10.0.2.15:9090/ Last login: Sat Apr 2 04:03:29 2022 from 192.168.58.1 kifarunix@debian11:~$
You can also configure SSH session to run on background by using option -f and disable remote command execution, -N.
ssh -f -N -L 127.0.0.1:8080:192.168.58.38:80 [email protected]Or just;
ssh -fNL 127.0.0.1:8080:192.168.58.38:80 [email protected]Confirm the port is opened on my local machine;
ss -altnp | grep :8080LISTEN 0 128 127.0.0.1:8080 0.0.0.0:* users:(("ssh",pid=343993,fd=5))So if you access http://127.0.0.1:8080/ on your browser, you should be able to access the Web service on the remote host.
Configure SSH Local Port Forwarding Using SSH Config File
With all said above, you can make your life easy by configuring SSH local port forwarding using SSH config file, either ~/.ssh/config for user specific or /etc/ssh/ssh_config for global settings.
The local port forwarding using SSH config file can be done using the sample configs;
Host webserver
User kifarunix
HostName 192.168.58.21
LocalForward 127.0.0.1:8080 192.168.58.38:80
If you have such settings, then to establish the tunnel/local port forwarding simply run;
ssh -fN webserverEnter the login credentials for SSH.
You can confirm port opening;
lsof -i :8080COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ssh 404392 mibeyki 5u IPv6 27604450 0t0 TCP ip6-localhost:http-alt (LISTEN)
ssh 404392 mibeyki 6u IPv4 27604451 0t0 TCP localhost:http-alt (LISTEN)Read man ssh_config and check LocalForward.
And that is it on how to configure SSH local port forwarding.
Read more on SSH Tunneling
