SSH port-forwarding [SSH tunneling]

List of content you will read in this article:

Whenever you use the SSH tunnelling or SSH port forwarding method, it will ensure an encrypted SSH connection between the client and the server using those specific ports that have been relayed. SSH forwarding is beneficial in those scenarios where you want to transport the network data that uses an encrypted protocol like FTP or bypass the intermediate firewalls. In short, you can seamlessly forward any TCP port or tunnel the particular traffic over a secured connection. 

Today, most companies make sure the data transfer is safe and use SSH port forwarding. You can use any of the three SSH port forwarding methods.

• Local Port Forwarding. - this type of SSH forwarding will transfer a connection from the desired client host to the destined SSH server host and then move the traffic to the destination host port.
• Remote Port Forwarding. - this type of SSH forwarding will ensure the forwarding of a port from the provided server host to the client host and then move the traffic to the specified destination host port.
• Dynamic Port Forwarding. - this type of SSH forwarding will help create a SOCKS proxy server allowing communication across a wide range of ports.

In this article, we will be focusing on various ways to ensure SSH port forwarding or SSH tunnelling. Apart from this, you will learn how to set up encrypted SSH tunnels. 

Local Port Forwarding

With the help of the local port forwarding, you will get to forward a port available on the localhost (client machine) to a port available on the remote (server machine), which is then forwarded to the port available at the destination machine.

In local forwarding, the client machine will listen on a specified port and then establish a tunnel connecting that port to the mentioned port on the remote or server machine. Then the connection will be made to the port on the destination device. You can use the removed server or another machine as a destination machine. You can use the local port forwarding to connect to a remote machine on an internal network such as a VPS machine.

Using command-line

If you work on Linux, Unix, or macOS machines, you can create the local port forwarding using the below-mentioned example.

ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER

where,

• [LOCAL_IP:]LOCAL_PORT specifies the local machine’s IP address and port number. If you omit the LOCAL_IP, the ssh client will bond with the localhost. You can use its value more than 1024 as below that all the ports are privileged which can only be used by the root user. If you are using a port other than 22, you need to specify the -p option.
• DESTINATION:DESTINATION_PORT - this value will specify the destination’s machine IP or hostname and the port.
• [USER@]SERVER_IP - this value will specify the server’s remote SSH user and IP address.

Example 

Suppose you are using a MySQL database server running on the machine db002.host on a private network with port number 3305 and is accessible from the machine pub002.host. Now you can create a connection from the local machine MySQL client to the database server. To achieve this, you need to forward the connection using the following command.

ssh -L 3336:db002.host:3305 user@pub002.host

After running the command mentioned above, you will be asked to enter the SSH user and password details. Then you will be able to log into the remote server, and then the SSH tunnel will be created. You can also set an SSH key-based authentication that will allow you to connect to the remote server without entering the password each time you try to connect to the remote server.

Using Putty

Putty is the commonly used tool for the SSH clients for Windows systems. You can create a local SSH tunnel with the help of the below-mentioned simple steps.

• For this, you need to start the Putty application and enter the required details for establishing a connection to the remoter server, as shown below. Below are the dummy details; you can provide your details.

• From the Category list on the left pane, navigate to Connection option > and select SSH > then Tunnels.
• Then you need to click the Local to define the specific type of SSH port forward you want to use.

• Then, you need to provide the local port number in the Source port field.
• Provide the destination address and port number within the Destination field. You can use the following format: like destination_server_ip:remote_port. After verifying all the provided details, you can click Add option.
• After clicking the Open option, the local SSH port-forward will get initiated.

Remote Port Forwarding

This type of SSH forwarding is the complete opposite of the local port forwarding method. The remote forwarding will allow the user to forward a port available on the remote server monitoring machine to the port available on the local machine. Then it will get forwarded to the port available on the destination machine.

Using this forwarding method, the SSH server will listen to the specified port and then create a tunnel to connect to the port mentioned on the local SSH client. Then the link will be made to the port available on the destination machine. You can use the local machine or another machine as the destination device.

If you are using a Linux, macOS, or Unix system, then you can ensure the remote port forwarding using the -R option to the SSH command as shown below.

ssh -R [REMOTE:]REMOTE_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER

where,

• [REMOTE:]REMOTE_PORT will specify the SSH remote server’s IP and port number. 
• DESTINATION:DESTINATION_PORT will specify the destination’s machine IP or hostname and the port.
• [USER@]SERVER_IP will specify the user and server IP address for remote SSH.

Using command-line

Example

Suppose you are creating a web-based application on your local system, and you want to get a preview of your application from another developer. If you do not have the public IP, the other developer will not access the specific application using the internet.

But, using the proper access to the remote SSH server, you can set up a remote port forwarding using the below command.

ssh -R 8010:127.0.0.1:3100 -N -f user_name@remote.host

The command, as mentioned earlier, will try to create the SSH server to listen to port 8010 and then tunnel all the required traffic from this port to the local system on port 3100.

But, the other developer has to type the_ssh_server_ip:8010 in their browser and then get the preview of the desired application.

Using Putty 

Putty is the commonly used tool for the SSH clients for Windows systems. You can create a local SSH tunnel with the help of the below-mentioned simple steps.

• For this, you need to start the Putty application and enter the required details for establishing a connection to the remoter server, as shown below. Below are the dummy details; you can provide your details.

• From the Category list on the left pane, navigate to Connection option > and select SSH > then Tunnels.
• Then you need to click the remote for defining the specific type of SSH port forward you want to use.

• Then, you need to provide the local port number in the Source port field.
• Provide the destination address and port number within the Destination field. You can use the following format: like destination_server_ip:remote_port. After verifying all the provided details, you can click Add option.
• After clicking the Open option, the remote SSH port-forward will get initiated.

Dynamic port forwarding

With the help of dynamic port forwarding, you can create a socket on the local machine that will act as a SOCKS proxy server. Whenever a client tries to connect to this port, the link will get forwarded to the remote machine that will be forwarded to the dynamic port available on the destination port.

The applications running using the SOCKS proxy will then be connected to the SSH server, and then the traffic will get forwarded to its actual destination.

Using command-line

If you are working on Linux, Unix, and macOS, you can use the -D option with the SSH command shown below to create dynamic port forwarding.

ssh -D [LOCAL_IP:]LOCAL_PORT [USER@]SSH_SERVER

Where,

• [LOCAL_IP:]LOCAL_PORT - this will specify the local machine’s IP address and port number. If you omit the LOCAL_IP, the ssh client will bind on the localhost.
• [USER@]SERVER_IP - this will specify the remote machine’s SSH user and server IP address.

Using Putty 

Putty is the commonly used tool for the SSH clients for Windows systems. You can create a local SSH tunnel with the help of the below-mentioned simple steps.

• For this, you need to start the Putty application and enter the required details for establishing a connection to the remoter server, as shown below. Below are the dummy details; you can provide your details.

• From the Category list on the left pane, navigate to Connection option > and select SSH > then Tunnels.
• Then you need to click the dynamic for defining the specific type of SSH port forward you want to use.

• You need to provide the dynamic port number in the Source port field. The SOCKS proxy server available on your local machine will use this dynamic port for dynamically forwarding all the traffic.
• After verifying all the provided details, you can click Add option.
• After clicking the Open option. The dynamic SSH port forward will get initiated.

Conclusion

SSH port forwarding will help transfer all the traffic to the destined destination machine using an encrypted tunnel. Many companies use this method to ensure secure data transfer between machines connected over the network. 

This article has mentioned three different types of SSH port forwarding- local, remote, and dynamic. You can implement any port forwarding methods that will suit your scenario. The port forwarding needs to be implemented with high-end security and maintained throughout the entire transfer process.