Master SSH Secure Tunnels: Local, Remote, and Dynamic Port Forwarding Explained

1.1 SSH Secure Tunnel (Part 1): Local Port Forwarding

Scenario: host3 can communicate with host1 and host2, but host1 and host2 cannot talk directly. To access host2 from host1, use SSH local port forwarding via host3.

SSH local port forwarding syntax:

<code>ssh -L [local_bind_addr:]local_port:remote:remote_port middle_host</code>

Example command on host1:

<code># ssh -g -L 2222:host2:80 host3</code>

The

-L

option creates a listening port (2222) on host1 that forwards traffic to host2:80 through host3. Adding

-g

allows external hosts to connect to the forwarded port.

<code># ssh -L 172.16.10.5:2222:host2:80 host3</code>

Using a specific bind address lets other machines reach the service via 172.16.10.5:2222. It is recommended to run the forwarding in the background with

-f

and

-N

:

<code># ssh -f -N -g -L 22333:host2:22 host3</code>

1.2 SSH Secure Tunnel (Part 2): Remote Port Forwarding

Remote port forwarding sends data from a remote port back to the local machine. Example: host3 can talk to host1 and host2, but host1 cannot reach host3 directly, so host3 initiates the forwarding.

SSH remote port forwarding syntax:

<code>ssh -R [bind_addr:]remote_port:host:port remote_host</code>

Example command executed on host3:

<code># ssh -R 22333:host2:80 host1</code>

This creates a listening socket on host1 (port 22333) that forwards incoming connections through the secure tunnel to host2:80. By default sshd binds remote forwarded ports to the loopback address; to bind to all interfaces, enable

GatewayPorts

in

sshd_config

and use

*

as the bind address.

<code># ssh -g -R *:22333:host2:80 host1</code>

Recommended options for remote forwarding are

-g

,

-f

, and

-N

:

<code># ssh -fgN -R 22333:host2:80 host1</code>

1.3 SSH Secure Tunnel (Part 3): Dynamic Port Forwarding (SOCKS Proxy)

Dynamic port forwarding lets SSH act as a SOCKS4/5 proxy, automatically handling different application‑layer protocols.

Syntax:

<code>ssh -D [bind_addr:]port remote_host</code>

Example command on host1 to create a SOCKS proxy via host3:

<code># ssh -Nfg -D 2222 host3</code>

Clients configure their proxy settings to point to host1:2222. HTTP browsers, SSH clients, or other tools will then have their traffic forwarded through host3 to the internet or to host2, depending on the requested service.

SSH supports only SOCKS4 and SOCKS5; some clients may require explicit proxy type selection. Use the same recommended options

-f

,

-N

, and

-g

. Tools like SecureCRT or PuTTY can also set up dynamic forwarding without using the command line.