Guide to Using SSH Port Forwarding (SSH Tunneling)

SSH port forwarding, sometimes referred to as SSH tunneling, is a method for safely transmitting data over an encrypted SSH connection between a local and distant server.  It allows users to securely connect to resources or services that firewalls could otherwise prevent or restrict. 

SSH port forwarding enhances security by encrypting data transmitted through the tunnel and protecting it from potential interception or eavesdropping. It’s a powerful feature often used by system administrators, developers and users needing secure access to resources across different networks or to bypass network restrictions.

There are three types of SSH port forwarding:

1. Local port forwarding: Redirects traffic from a local port on the client machine to a specified port on a remote server via an SSH connection.
2. Remote port forwarding: Redirects traffic from a port on the remote server to a specified port on the client machine.
3. Dynamic port forwarding: Creates a SOCKS proxy on the client machine, enabling the forwarding of traffic from various applications through the SSH connection.

We will explore the different types of port forwarding in detail later in the article. First, let’s understand how port forwarding works.

How Does Port Forwarding Work?

Port forwarding, also known as port mapping, is a computer networking technique that enables desired internet traffic to be sent to a particular device on a private network. In order to reroute the incoming traffic, rules are created on a router or firewall.

In other words, when a device on the internet tries to connect to a device on a private network, the router’s network address translation (NAT) firewall blocks the connection. The NAT allows numerous devices to share a single public IP address while maintaining their own private IP address. The firewall blocks the connection to protect internal devices from unauthorized access. 

However, in some cases, you may need to allow specific incoming traffic to reach a specific device on the internal network. This is where port forwarding comes in. Here’s how it works:

• Identifying the external port. Choose an external port number that will be used to access the device on the internal network. This port number should not be used by any other service on the internet.
• Identifying the internal IP address and port. Determine the private IP address of the device you want to make accessible and the port number it uses for the service you want to expose.
• Creating a port forwarding rule. Access the router’s configuration interface and create a port forwarding rule. This rule will map the external port number to the internal IP address and port number.
• Activating the rule. Save the port forwarding rule and activate it. Once activated, the router will start redirecting incoming traffic on the specified external port to the designated device and port on the internal network.

Here are the two examples of creating rules for a router or firewall to enable port forwarding.

Port Forwarding Example 1 

Let’s say you want to forward a specific port to a specific device. In this case, it’s port 80 (HTTP) to a web server with the IP address 192.168.1.100. To do this, you would create the following rule:

• Protocol: TCP
• Source: Any
• Destination: Router’s public IP address
• Port: 80
• Forward to: 192.168.1.100
• Port: 80

This rule will tell the router to forward any traffic that is sent to port 80 on its public IP address to port 80 on the web server with the IP address 192.168.1.100.

Port Forwarding Example 2

In this second example, we’ll forward a range of ports to a specific device. Let’s say you want to forward ports 25-26 (SMTP) to a mail server with the IP address 192.168.1.101. To do this, you would create the following rule:

• Protocol: TCP
• Source: Any
• Destination: Router’s public IP address
• Port: 25-26
• Forward to: 192.168.1.101
• Port: 25-26

This rule will tell the router to forward any traffic that is sent to ports 25-26 on its public IP address to ports 25-26 on the mail server with the IP address 192.168.1.101.

More on CybersecurityHere’s Why Startups Shouldn't Over-Rely on SOC 2

Why Is Port Forwarding Important?

Port forwarding is crucial when it comes to networking and gaining access to resources inside private networks. The following are some of the main reasons for port forwarding’s importance:

1.  Accessing services from outside the local network. Port forwarding allows external users or devices from the internet to access services, applications, or resources hosted on devices within a private network.
2. Running specialized applications: Port forwarding ensures the applications can send and receive data through the required ports, enabling them to work correctly.
3. Gaming and Peer-to-Peer Connections: Gamers often utilize port forwarding to host game servers or participate in multiplayer games by allowing incoming connections through specific ports.
4. Enabling remote management and control: It facilitates remote management of devices like cameras, IoT devices or network-attached storage (NAS) systems within the local network.
5. Security and control. It enables selective opening of ports, ensuring that only specific services or applications are accessible, thereby reducing the risk of unauthorized access.
6. Flexibility in network configuration: Port forwarding provides flexibility in network configuration, allowing users to customize how incoming traffic is directed and which devices or services are reachable from outside the local network. 

Prerequsites for Port Forwarding

Through the process of port forwarding, incoming network traffic is redirected from one router or firewall port to another port on a particular local network device. There are a few requirements and things to keep in mind before setting up port forwarding:

• Access to router configuration: You must have administrative access to the router or gateway device responsible for managing network traffic. Typically, this involves accessing the router’s web-based interface via a web browser.
• Static IP address or DHCP reservation: It’s recommended to assign a static IP address to the device within the local network that will receive the forwarded traffic. Alternatively, use DHCP reservation to ensure the device consistently gets the same IP address from the router's DHCP server.
• Understanding the service and port numbers: Identify the service or application for which you want to set up port forwarding. Different services and applications use specific port numbers (e.g., HTTP uses port 80, FTP uses port 21, SSH uses port 22).
• Security considerations: Assess the security implications of opening specific ports to incoming traffic. Only forward ports that are necessary for the intended service or application, and avoid exposing unnecessary ports to minimize security risks.
• Router’s interface and port forwarding settings: Understand the terminology and options related to port forwarding in the router’s settings, such as internal and external ports, protocols (TCP/UDP), and the target device’s IP address.
• Checking firewall settings: Ensure that the router’s firewall or any software firewall on the target device does not block incoming connections to the port being forwarded.
• Connectivity: After configuring port forwarding, test the connectivity from an external network to ensure that the service or application is accessible as intended.

Local Port Forwarding

When a user needs to access a resource or service located on a remote server but is unable to do so directly because of firewall settings, network configurations or private network limitations, local port forwarding is utilized. 

This involves using a SSH to establish a secure tunnel between a local machine (the client) and a remote server. It allows users to access services or resources on the destination server that are otherwise inaccessible because of firewall settings or network limitations.

To establish local port forwarding, the user initiates an SSH connection to the remote server with the -L option followed by the forwarding specifications. The syntax for setting up local port forwarding is:

ssh -L [local_port]:[destination_address]:[destination_port] [username]@[ssh_server]

For example, suppose a user wants to access a web server (port 80) located on a remote server with IP address 192.168.1.100, but direct access to port 80 is blocked. The user can use local port forwarding to redirect local port 8080 to the remote server's port 80.

Command:

ssh -L 8080:192.168.1.100:80 user@remote_server

Remote Port Forwarding (Reverse Tunneling)

Remote port forwarding, also known as reverse tunneling, is used when a user needs to allow external access to a service or application hosted on their local machine, typically behind a firewall or router, and make it accessible to a service or application running on a remote server.

This technique, which is also called reverse tunneling, is used to create a secure connection between a remote server and a local computer or device. Remote port forwarding reroutes traffic from a specified port on the remote server to a designated port on the local machine. This is in contrast to local port forwarding, which forwards data from a local machine to a remote server.

To initiate remote port forwarding, the user configures an SSH connection to the remote server with the -R option followed by the forwarding specifications. The syntax for setting up remote port forwarding is: 

ssh -R [remote_port]:[destination_address]:[local_port] [username]@[ssh_server]

For example, suppose a user wants to allow access to a web server (running on port 8080) hosted on their local machine (with private IP 192.168.1.10) from a remote server with public IP 123.45.67.89. The user can use remote port forwarding to redirect traffic from the remote server's port 80 to their local machine’s port 8080.

Command:

ssh -R 80:192.168.1.10:8080 [email protected]

Dynamic Port Forwarding

Dynamic port forwarding enables users to create a secure tunnel between their local machine and a remote SSH server, turning the SSH server into a proxy server.

This technique enables users to establish a dynamic SOCKS proxy over an SSH connection. Dynamic port forwarding creates a general-purpose encrypted tunnel that can redirect traffic from many ports and applications over the SSH connection. This is different from local and remote port forwarding, which redirects specific ports to specific destinations.

Dynamic port forwarding is used for a variety of purposes. Such as: Accessing blocked websites or services, bypassing censorship and protecting your privacy. When you use dynamic port forwarding, your traffic is encrypted and routed through the SSH server, which makes it more difficult for third parties to track or intercept your activity. 

To initiate dynamic port forwarding, the user configures an SSH connection to the remote server with the -D option followed by a chosen local port number.

The syntax for setting up dynamic port forwarding is:

ssh -D [local_port] [username]@[ssh_server]

After initiating the SSH connection with dynamic port forwarding, a SOCKS proxy is created on the specified local port (e.g., 1080) on the client machine. Applications or services on the client machine can be configured to use this SOCKS proxy (localhost:port) as a gateway to route their network traffic through the SSH tunnel to the remote server.

The SSH server forwards the traffic to the final destination addresses, acting as a mediator for all the connections initiated through the SOCKS proxy. Dynamic port forwarding in SSH provides a versatile method for securely tunneling traffic from multiple applications or services through an encrypted connection to a remote SSH server.

Security Concerns of Port Forwarding

Although port forwarding is a helpful tool for connecting to distant devices and services, if it isn’t done appropriately, it may cause security issues. The following are the primary safety concerns with port forwarding:

• Unauthorized access: Attackers may use exposed ports to obtain unauthorized access to your devices and data. This might result in malware infestations, data breaches or even compromising your whole network.
• Denial-of-Service attacks: Attackers can target open ports with Denial-of-Service (DoS) attacks, overwhelming the devices and making them unavailable to legitimate users. This can disrupt operations and cause significant downtime.
• Malware installation: Attackers can use port forwarding vulnerabilities to install malware on your devices, allowing them to control your devices and steal data. This can lead to identity theft, financial losses and reputation damage.
• Misconfigurations and vulnerabilities: Improper port forwarding configurations or vulnerabilities in the services you expose can create exploitable weaknesses that attackers can leverage to gain access to your network.
• Increased attack surface: By opening specific ports to the internet, you are essentially creating entry points for potential attackers. Each open port represents a potential vulnerability that can be exploited if not properly secured.

There are a few steps you can take to mitigate the security risks associated with port forwarding. These include:

1. Implementing strong authentication mechanisms, such as multi-factor authentication (MFA), for services accessible through forwarded ports.
2. Regularly reviewing and updating port forwarding rules and closing unnecessary or unused ports.
3. Using firewall rules to limit access to forwarded ports only to trusted IP addresses or ranges.
4. Employing intrusion detection/prevention systems (IDS/IPS) to monitor and detect suspicious activities on forwarded ports.

More on CybersecurityGuide to Discretionary Access Controls (DAC) With Examples

Applications of SSH Port Forwarding

SSH port forwarding is a flexible method that lets you encrypt legacy apps, get around firewalls and safely access remote resources. By extending connectivity options beyond standard methods, SSH port forwarding makes it possible to effortlessly access resources that might not be available otherwise. It empowers users to navigate restricted networks, bypass firewalls, and circumvent geographical limitations.

The following are some significant applications for SSH port forwarding:

• SSH port forwarding enables you to securely access devices and services running on a private network from anywhere on the internet. This is particularly useful for remote work, accessing home devices while away, or managing servers remotely
• SSH port forwarding can add encryption to legacy applications that do not support secure communication protocols. This can help protect your data from interception and eavesdropping when using these applications over public networks.
• Through SSH port forwarding, you can get outside firewalls and access resources that your network’s security policies might be blocking. This can be useful for testing apps, resolving network problems, and getting access to geo-restricted material.
• SSH port forwarding can be used to establish virtual private network (VPN) connections, allowing you to securely connect to a remote network as if you were physically present.
• SSH port forwarding can be used to test and debug web applications running on remote servers.
• SSH port forwarding can be used to securely access remote file shares, such as network file systems (NFS) or server message block (SMB) shares, over an encrypted connection.
• In countries with internet censorship or surveillance, SSH port forwarding can be used to bypass restrictions and access blocked websites or services. 

Frequently Asked Questions