Configure SSH Local Port Forwarding in Linux

Last Updated:

Welcome to our guide on how to configure SSH Local Port Forwarding in Linux. In order to understand how SSH tunneling or simply put, port forwarding, works, we are going to see the example usage in this guide.

There are three types of SSH Tunneling;

  • local port forwarding: This involves forwarding traffic on a local port on your local machine to a specific port on remote server. The local SSH client listens for a connection on a specific port and when it receives a connection, it tunnels it to SSH server which then connects to a specific destination port.
  • remote port forwarding: This allows connection from a remote machine to a local server.
  • dynamic port forwarding: This is a type of forwarding which allows communications to happen over a wide range of ports rather than a single port as in the case for local or remote port forwarding.

In this tutorial, we will focus only on configuring SSH local port forwarding.

Configure SSH Local Port Forwarding in Linux

Some of the typical use cases for local ssh port forwarding include;

  • Tunneling sessions and file transfers through jump servers
  • Connecting to a service on an internal network from the outside
  • Connecting to a remote file share over the Internet

Local SSH port forwarding can be initiated by passing option -L to ssh using the syntax below;

ssh -L [bind_address:]port:host:hostport jump-server


  • [bind_address:] is an optional local system IP address to bind the local connection to.
  • port: local port to listen for connection on the local host
  • host: remote host to forward the connections to
  • hostport: remote local port on the remote host to forward connections to.
  • jump-server: is the server that basically can connect to the remote host via the specified remote local port. It can be public facing IP address of the same server running a local service to connect to remotely.

Scenario 1

Assume that you have a VNC server started on localhost with (vncserver -localhost) on remote host,, then in order for you to remotely connect to the local VNC server on this host, you need to forward the traffic on a specific port from your host to the local VNC server port via the host IP, In this case, the SSH on the host should be accessible on the IP for you to be able to forward the traffic.

Such a command would be used;

ssh -L 5901:localhost:5908 [email protected]

This command forwards all traffic to port port 5901 (on all interfaces) on your host to port 5908 on the remote localhost via the host.

You can also bind your host port to a specific IP;

ssh -L [email protected]

Scenario 2

On the remote host, we have a web server which can only be allowed to be accessed from the host

So, how can you be able to access the remote web service on host on your local machine via the jump server

The only way is by creating a local port on your machine and forward the traffic to that port to the web server port on host via;

ssh -L [email protected]

The command above opens port 8080 on my local machine and forwards all traffic to this port to web service port 80 on host via SSH on

[email protected]'s password: 
Linux debian11 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Web console: https://debian11:9090/ or

Last login: Sat Apr  2 04:03:29 2022 from

You can also configure SSH session to run on background by using option -f and disable remote command execution, -N.

ssh -f -N -L [email protected]

Or just;

ssh -fNL [email protected]

Confirm the port is opened on my local machine;

ss -altnp | grep :8080
LISTEN    0         128       *        users:(("ssh",pid=343993,fd=5))

So if you access on your browser, you should be able to access the Web service on the remote host.

Configure SSH Local Port Forwarding Using SSH Config File

With all said above, you can make your life easy by configuring SSH local port forwarding using SSH config file, either ~/.ssh/config for user specific or /etc/ssh/ssh_config for global settings.

The local port forwarding using SSH config file can be done using the sample configs;

Host    webserver
        User kifarunix

If you have such settings, then to establish the tunnel/local port forwarding simply run;

ssh -fN webserver

Enter the login credentials for SSH.

You can confirm port opening;

lsof -i :8080
ssh     404392 mibeyki    5u  IPv6 27604450      0t0  TCP ip6-localhost:http-alt (LISTEN)
ssh     404392 mibeyki    6u  IPv4 27604451      0t0  TCP localhost:http-alt (LISTEN)

Read man ssh_config and check LocalForward.

And that is it on how to configure SSH local port forwarding.

Read more on SSH Tunneling

Other Tutorials

Install and Use ClusterSSH on Ubuntu 22.04/Ubuntu 20.04

Setup Secure SSH Access on Linux Servers using Teleport


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
I am the Co-founder of, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment