SSH TCP Port Forwarding

Preface

In some cases users are looking for possibility to do TCP port forwarding.
In situations like:
- Firewall is blocking traffic between source and destination but SSH traffic is enabled.
- Application for security reasons is listening only on TCP port on loopback interface but you have only SSH access to the server and you need to connect remote application client to the loopback of the server.
- Your provider is filtering traffic to TCP ports for some hosts but you have an server on public internet.
- You SSH Server need to access some IP on your local network but firewall is blocking this traffic .
- …

In this case it is possible to open an connection from your SSH Client site to SSH Server and configure TCP port forwarding. The whole TCP traffic will be taken and with help of SSH protocol it will be forwarded from one site of the “tunnel” to another. As well the whole traffic will be encrypted like standard SSH traffic. According to this it will look like only one SSH session for all devices between SSH Client and SSH Server.

Before we’ll start

In general we will need to make sure that we know what we would like to configure. I know that it look like really stupid sentence. On another hand the SSH port forwarding is sometime really confusing.

Questions:

Please make sure that you know the answers for this questions:
What is the Destination IP?
What is the Destination TCP port?
What is the IP where will be SSH TCP port Forwarding tunnel listening incoming traffic?
What is the TCP port where will be SSH TCP port Forwarding tunnel listening for incoming traffic?

Listening on Local TCP port (-L)

Description: “ -L [bind_address:]port:host:hostport “
Example: “ ssh -L <Listening_Local_IP>:<Listening_Local_TCP_port>:<Destionation_Remote_IP>:<Destination_Remote_TCP_port> user@server_IP ”

Questions -> Answers (Q&A)

What is the Destination IP?
- This Destination IP is reachable from SSH Server site and we’ll need to access this IP from SSH Client site

What is the Destination TCP port?
- This TCP port is reachable from SSH Server site and we’ll need to access this TCP port from SSH Client site


What is the IP where will be SSH TCP port Forwarding tunnel listening incoming traffic?
- It is one of the IP’s configured on SSH Client site.


What is the TCP port where will be SSH TCP port Forwarding tunnel listening for incoming traffic?
- It is TCP port higher like 1024
- This TCP port is free and no one is listening on this port
- It is Local TCP port on SSH Client site

Example:

In this case we will use this configuration:
SSH Client IP: 10.0.12.110
SSH Server IP : 10.0.12.111
Application is listening on (IP:TCP port): 10.0.12.1:80
SSH Client IP is not accepted at Application but SSH Server is permitted.

According to this we will do SSH TCP port Forwarding that our SSH Client can access Application port (in our case Webportal)

Check for available TCP port

We’ll need to be sure that the TCP port that we will use at Client site is free for us to use. In this case I’m going to use TCP port 2222.

[root@SSH_Client ~]# netstat -nap | grep 2222                                 # The TCP port 2222 is free and we can use it
[root@SSH_Client ~]#

Open SSH session with TCP port Forwarding

[root@SSH_Client ~]# ssh -L 10.0.12.110:2222:10.0.12.1:80 root@10.0.12.111   # -L [bind_address:]port:host:hostport
root@10.0.12.111's password:
Last login: Sat Jan 25 12:49:41 2014 from 10.0.12.110
[root@SSH_Server ~]#

Check the port on SSH Client site

[root@SSH_Client ~]#netstat -nap | grep 2222                                   # As you can see SSH Client is listening on 10.0.12.110:2222
tcp        0      0 10.0.12.110:2222     0.0.0.0:*     LISTEN      2018/ssh

Listening on Remote TCP port (-R)

Description: “ -R [bind_address:]port:host:hostport “
Example: “ ssh -R <Listening_Local_IP>:<Listening_Local_TCP_port>:<Destionation_Remote_IP>:<Destination_Remote_TCP_port> user@server_IP ”

In the case that you would like to bind the TCP port to the IP of the SSH server you need to enable:
GatewayPorts yes
in “/etc/ssh/sshd_config” and restart the SSHD process

Questions -> Answers (Q&A)

What is the Destination IP?
- This Destination IP is reachable from SSH Client site and we’ll need to access this IP from SSH Server site

What is the Destination TCP port?
- This TCP port is reachable from SSH Client site and we’ll need to access this TCP port from SSH Server site


What is the IP where will be SSH TCP port Forwarding tunnel listening incoming traffic?
- All of the IP’s configured on SSH Server site.


What is the TCP port where will be SSH TCP port Forwarding tunnel listening for incoming traffic?
- It is TCP port higher like 1024
- This TCP port is free and no one is listening on this port
- It is Local TCP port on SSH Server site

Example:

In this case we will use this configuration:
SSH Client IP: 10.0.12.110
SSH Server IP : 10.0.12.111
Application is listening on (IP:TCP port): 10.0.12.1:80
SSH Server IP is not accepted at Application but SSH Client is permitted.

According to this we will do SSH TCP port Forwarding that our SSH Server can access Application port (in our case Webportal)

Check for available TCP port

We’ll need to be sure that the TCP port that we will use at SSH Server site is free for us to use. In this case I’m going to use TCP port 2222.

[root@SSH_Server ~]# netstat -nap | grep 2222                                 # The TCP port 2222 is free and we can use it
[root@SSH_Server ~]#

Open SSH session with TCP port Forwarding

[root@SSH_Client ~]# ssh -R *:2222:10.0.12.1:80 root@10.0.12.111               # -R [bind_address:]port:host:hostport
root@10.0.12.111's password:
Last login: Sat Jan 25 13:26:54 2014 from 10.0.12.110
[root@SSH_Server ~]#

Check the port on SSH Client site

[root@SSH_Server ~]#netstat -nap | grep 2222                                   # As you can see SSH Server is listening on 0.0.0.0:2222
tcp        0      0 0.0.0.0:2222     0.0.0.0:*     LISTEN      2018/ssh
Navigation
Print/export
QR Code
QR Code wiki:infrastructure_tools:ssh:ssh-tcp-port-forwarding (generated for current page)