πŸ“Œ SSH local and remote port forwarding

I use SSH local port forwarding on a daily basis but I rarely use remote port forwarding. Today I forgot (again) about the GatewayPorts option, so I decided to write a quick reminder about SSH port forwarding.

Local port forwarding

When to use? When you need to access a service on a remote server that is not exposed.

In this example the remote service runs on port tcp/80.

home$ ssh user@work.example.org -L 10000:lan-ip-of-remote-server:80

SSH exposes a port locally (tcp/10000) that will point to the HTTP service on the remote server, through the SSH tunnel:

home$ netstat -tunelp | grep 10000
tcp 0 0 127.0.0.1:10000   0.0.0.0:*   LISTEN   1000   71679   12468/ssh

Now we can point our browser to http://localhost:10000 or use curl, you request goes to your local machine, then through the SSH tunnel to the remote server:

home$ curl localhost:10000

Local port forward for anyone at home

When to use? If you want other people on your home subnet to be able to reach the non exposed service running on the remote server.

Just add the option -g:

home$ ssh user@work.example.org -L 10000:lan-ip-of-remote-server:80 -g

We now see the service is available on all interfaces of your home computer, available for anyone to connect to on the local subnet (provided appropriate firewall rules):

home$ netstat -tunelp | grep 10000
tcp 0 0 0.0.0.0:10000   0.0.0.0:*   LISTEN   1000   72265   12543/ssh

Anyone on your local subnet should be able to open http://your-workstation-ip:10000.

Remote port forwarding

When to use? Giving access to a service running on your workstation to people on a remote site. For example if someone needs help on their workstation.

home$ ssh user@work.example.org -R 10000:your-workstation-ip:22

We see on the server at work that a new port tcp/10000 is listening on the loopback interface:

work.example.org$ netstat -tunelp | grep 10000
tcp        0      0 127.0.0.1:10000              0.0.0.0:*                   LISTEN      0          73719534   3809/1

People logged in on the machine work.example.org now should be able to SSH into your home machine by doing:

work.example.org$ ssh user@localhost -p 10000

Remote port forwarding for anyone at work

When to use? If you want everybody on the subnet at work to be able to SSH into your home machine.

There’s no -g option for remote forward. You need to change the SSH server configuration of work.example.org, add the following to /etc/ssh/sshd_config:

GatewayPorts yes

Restart SSH.

Connect just as before:

home$ ssh user@work.example.org -R 10000:192.168.1.10:22

Now, the service is exposed globally:

work.example.org$ netstat -tunelp | grep 10000
tcp 0 0 0.0.0.0:10000   0.0.0.0:*   LISTEN   0   73721060   4426/1

Provided appropriate firewall rules, anyone at work can now connect to your home machine by SSH via the work server, through port tcp/10000:

$ ssh anyone@work.example.org -p 10000

Notes




Thanks for reading this post!


Did you find an issue in this article?

- click on the following Github link
- log into Github with your account
- click on the line number containing the error
- click on the "..." button
- choose "Reference in new issue"
- add a title and your comment
- click "Submit new issue"

Your feedback is much appreciated! πŸ€œπŸΌπŸ€›πŸΌ

You can also drop me a line below!