SSH Port Forwarding: A Brief Introduction


SSH (Secure Shell) port forwarding, also known as SSH tunneling, is a way to create encrypted connections between computers. It allows for secure communication over insecure networks such as the internet. With SSH port forwarding, a user can securely connect from their local computer to another machine on a remote network. This connection is made through an encrypted “tunnel” that passes data back and forth between the two machines.

SSH port forwarding is used in many different scenarios by both system administrators and individual users alike. For example, it may be employed for connecting to corporate networks or private servers from home or while traveling; bypassing firewalls; accessing resources behind NAT routers; and so much more. In this article, we will discuss how SSH port forwarding works in greater detail and provide examples of how it’s used in different contexts.

Also read: How to Connect to a Remote Host Using the SSH Command in Linux?

What is Local Port Forwarding?

Local port forwarding creates an encrypted tunnel with local ports on each end of the connection using only one IP address (the source). The source machine initiates the tunnel by sending requests to a destination server via its own IP address but with specific ports set up at either end of the link – so all traffic goes through these ports instead of directly between hosts like normal HTTP/HTTPS traffic would do over public networks.

For example: if you wanted to access your company’s database from home over an unsecured Wi-Fi network you could use local port forwarding where you set up your laptop’s IP address as the source and then specify which ports should be open at each endpoint – say 3306 for MySQL or 27017 for MongoDB etc – before establishing an encrypted tunnel within which all communications are conducted safely away from any potential malicious actors lurking on public networks.

Local Port Forwarding with OpenSSH

OpenSSH is a popular terminal emulation program commonly used for secure shell connections into UNIX-like operating systems including macOS X, Linux, BSD, Solaris, etc. To establish local forwardings using OpenSSH simply type in

ssh -L [local_port]:[remote_host]:[remote_port] [user]@[server] 

followed by hitting enter key once the complete command is submitted successfully. This will configure the ssh client running locally so that when someone connects via a specified local host they’ll actually be connecting through a remote machine acting as a proxy thus allowing them to traverse any firewalls present without having direct access themselves.

How to Use Remote Port Forwarding

Remote Port Forwarding allows you to connect remotely from outside your organization’s internal network to another resource inside it—without having direct access yourself—by setting up tunnels across multiple hops along the route taken.

Essentially what happens here is instead of starting an outbound connection first-time user wishes to initiate a session; rather than opening a new ssh instance every hop process begins at the gateway node closest external world and gets redirected until finally reaching desired target server securely authenticated credentials supplied during the initial setup phase.

To accomplish this task,

ssh -R [remote_port]:[destination_host]:[destination_port] [user]@[gateway]

That establishes a reverse tunnel meaning anything sent incoming direction along a specified path will get forwarded onto the final destination endpoint mentioned above without requiring explicit authentication again upon arrival there.

Remote Port Forwarding with OpenSSH

OpenSSH also provides support for remote port forwarding by using the same syntax as above only in reverse order. This means that you specify the host and port on the remote server first followed by what localhost should be used to connect to it securely from your own machine. For example,

ssh -R [remote_port]:[destination_host]:[destination_port] [user]@[gateway]

How To Use Dynamic Port Forwarding

Dynamic port forwarding is a way of setting up an encrypted tunnel between two computers using SSH, with just one IP address (the source). It works similarly to local and remote port forwarding, but instead of connecting directly through specified ports at either end, dynamic proxy settings are established so that any data sent back and forth will go through an encrypted channel regardless of its destination or origin.

This can be accomplished via command line utility such as OpenSSH with the command:

ssh -D [local_port] [user]@[server]

If successful you’ll then have a secure connection available where all traffic gets routed along the path leaving no traceable information behind except secure authentication credentials supplied initially.

Dynamic Port Forwarding with OpenSSH

OpenSSH supports dynamic port forwarding by allowing users their choose which type of protocol they want to use to establish links namely SOCKS4, SOCKS5 & HTTP-Proxy protocols. The syntax for this is similar to previous examples however we add an additional parameter specifying the protocol being employed e.g.:

ssh -D 8080 socks4/5 user@server

Once connected successfully any application running locally can make requests over the newly created tunnel avoiding any potential dangers lurking out there waiting to intercept them.

Opening Backdoors into the Enterprises and Companies

Opening backdoors into enterprise networks allows system administrators to access resources without having direct physical access themselves. This might include troubleshooting servers remotely or providing temporary access rights to third parties while ensuring security measures remain intact throughout the process – preventing malicious actors from getting inside network perimeter walls undetected! To do this effectively requires careful configuration server-side before attempting connection otherwise attempts could fail due to authentication failures even if the client-side setup is correct.

Server-Side Configuration

Configuring a server for backdoor access requires changes to both firewalls rules external facing interface well other internal routing tables depending type of service being accessed i.e web-based applications require a different approach compared file sharing services etc. In addition open, specific ports required for each type of session must be set appropriately to ensure only legitimate connections allowed pass unmonitored ones blocked outright.

How Prevent SSH Port Forwarding Circumvent Firewalls?

  • Properly configured firewalls should provide high-level protection against unauthorized attempts to access corporate networks by bypassing traditional methods of authentication like usernames passwords tokens etc.
  • Best practice when deploying new firewall infrastructure is always to check existing configurations regularly, audit logs periodically, detect unusual behavior happening across network boundaries and investigate further.
  • SSH port forwarding can be configured to use encrypted tunnels for all traffic going through. This will ensure that even if someone manages to get inside the firewall, there is still a need to decrypt data before being able to view content, which should mitigate any potential risks associated with such attempts.
  • Regularly review and update the firewall rules and security settings to ensure that all ports are closed, except for those that are explicitly allowed for legitimate business operations.
  • Implement intrusion detection and prevention systems to detect and respond to suspicious activities on the network.
  • Deploy a web application firewall to protect web applications and services from malicious actors.
  • Monitor logs and alerts to identify any suspicious or malicious activity.
  • Use strong passwords and two-factor authentication to protect SSH sessions and prevent port forwarding circumvention.

SSH’s Solution

The most effective way to protect against SSH port forwarding is by using strong authentication methods such as public key encryption and two-factor authentication. This ensures that only authorized users are able to access the resources they need while also keeping out malicious actors who might be trying to bypass firewalls or gain unauthorized access.

Additionally, setting up a separate gateway server with its own firewall can help ensure that all incoming connections must first authenticate before being allowed into the internal network — thus providing an additional layer of security for your organization’s sensitive data.


In this article, we have discussed what SSH port forwarding is used for, how it works, and some examples of different types including local, remote and dynamic port forwarding with OpenSSH. We also touched on how best to prevent circumventing existing firewalls and discussed ways secure connection further utilizing public key encryption two-factor authentication etc Finally concluded that having a separate gateway server set up behind the main one provides added layer protection so even if someone manages to breach outer perimeter defenses still need to authenticate themselves before gaining entry into the inner network.