What is SSH port forwarding:

SSH Port forwarding is an SSH feature that allows tunneling application ports:

In this example we want to forward any incoming connections from CLIENT port 50001 to DB_SERVER port 50000, using SSH_PROXY as a proxy server between the two hosts.

Example Topology:

+--------------+   +--------------+   +-----------------+
| CLIENT:50001 |==>| SSH_PROXY:22 |==>| DB_SERVER:50000 |
+--------------+ +--------------+ +-----------------+

To do this we need to run on CLIENT the following command

$ ssh -L 127.0.0.1:50001:DB_SERVER:50000 username@SSH_PROXY -N
  • -L: Listen for incoming connections, in this case listens on ip 127.0.0.1:50001 of CLIENT and will forward them to port 50000 of DB_SERVER
  • username@SSH_PROXY: SSH_PROXY is a host that allows incomming connections from CLIENT on port 22 and is allowed to connect to port 50000 of DB_SERVER
  • username: is the user name used connect to SSH_PROXY
  • -N: Means do not execute remote commands, this is useful when we just forward connections.
  • SSH_PROXY must be configured to accept incoming SSH connections from CLIENT, and DB_SERVER must be configured to accept incoming connections to port 50000 from SSH_PROXY.

Usual security practices are:

  • Configuring list with IP addresses and usernames allowed to connect to SSH_PROXY, enforced usage of SSH keys in place of passwords
  • Configuring ip lists of IP addresses allowed to connect to DB_SERVER.

Written by

DevOps engineer, loves Linux, Python, cats and Amiga computers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store