I use SSH local port forwarding on a daily basis but I rarely use remote port forwarding. Today I forgot (again) about the
GatewayPorts option, so I decided to write a quick reminder about SSH port forwarding.
Local port forwarding
When to use? When you need to access a service on a remote server that is not exposed.
In this example the remote service runs on port tcp/80.
home$ ssh firstname.lastname@example.org -L 10000:lan-ip-of-remote-server:80
SSH exposes a port locally (tcp/10000) that will point to the HTTP service on the remote server, through the SSH tunnel:
home$ netstat -tunelp | grep 10000 tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 1000 71679 12468/ssh
Now we can point our browser to http://localhost:10000 or use curl, you request goes to your local machine, then through the SSH tunnel to the remote server:
home$ curl localhost:10000
Local port forward for anyone at home
When to use? If you want other people on your home subnet to be able to reach the non exposed service running on the remote server.
Just add the option
home$ ssh email@example.com -L 10000:lan-ip-of-remote-server:80 -g
We now see the service is available on all interfaces of your home computer, available for anyone to connect to on the local subnet (provided appropriate firewall rules):
home$ netstat -tunelp | grep 10000 tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1000 72265 12543/ssh
Anyone on your local subnet should be able to open http://your-workstation-ip:10000.
Remote port forwarding
When to use? Giving access to a service running on your workstation to people on a remote site. For example if someone needs help on their workstation.
home$ ssh firstname.lastname@example.org -R 10000:your-workstation-ip:22
We see on the server at work that a new port tcp/10000 is listening on the loopback interface:
work.example.org$ netstat -tunelp | grep 10000 tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 0 73719534 3809/1
People logged in on the machine work.example.org now should be able to SSH into your home machine by doing:
work.example.org$ ssh user@localhost -p 10000
Remote port forwarding for anyone at work
When to use? If you want everybody on the subnet at work to be able to SSH into your home machine.
-g option for remote forward. You need to change the SSH server configuration of work.example.org, add the following to
Connect just as before:
home$ ssh email@example.com -R 10000:192.168.1.10:22
Now, the service is exposed globally:
work.example.org$ netstat -tunelp | grep 10000 tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 0 73721060 4426/1
Provided appropriate firewall rules, anyone at work can now connect to your home machine by SSH via the work server, through port tcp/10000:
$ ssh firstname.lastname@example.org -p 10000
- You would need to log in as root if you want services to listen on a port < 1024.
- Already mentioned but don’t forget to open necessary ports on any firewall either at home or work.
- Unfortunately you can only forward services running on TCP, but it is possible to forward UDP through SSH using netcat