SSH port forwarding, sometimes referred to as SSH tunneling, is a method for safely transmitting data over an encrypted SSH connection between a local and distant server. It allows users to securely connect to resources or services that firewalls could otherwise prevent or restrict.
What Is SSH Port Forwarding (SSH Tunneling)?
SSH port forwarding, also known as SSH tunneling, is the process of transmitting data over an encrypted secure shell connection between a local and distant server. It allows users to access services that firewalls would otherwise restrict or prevent.
What Is SSH Port Forwarding?
SSH port forwarding, or SSH tunneling, is a secure networking technique where data is exchanged between devices — like a local and remote machine — using an SSH connection.
SSH (Secure Shell) is a network communication protocol that uses cryptography to enable remote, encrypted connections to and from devices, allowing two computers to share data and communicate securely over unsecured networks. By encrypting data, SSH port forwarding enhances security transmitted through the tunnel and protects it from potential interception or eavesdropping. It is a powerful feature often used by system administrators, developers and users needing secure access to resources across different networks or to bypass network restrictions.
There are three types of SSH port forwarding:
- Local port forwarding: Redirects traffic from a local port on the client machine to a specified port on a remote server via an SSH connection.
- Remote port forwarding: Redirects traffic from a port on the remote server to a specified port on the client machine.
- Dynamic port forwarding: Creates a SOCKS proxy on the client machine, enabling the forwarding of traffic from various applications through the SSH connection.
We will explore the different types of port forwarding in detail later in the article. First, let’s understand how port forwarding works and how to perform it.
How to Port Forward
Port forwarding (or port mapping), is a computer networking technique that enables desired internet traffic to be sent to a particular device on a private network. In order to reroute the incoming traffic, rules are created on a router or firewall.
Here’s a general guide on how to port forward:
- Identify the external port. Choose an external port number that will be used to access the device on the internal network. This port number should not be used by any other service on the internet.
- Identify the internal IP address and port. Determine the private IP address of the device you want to make accessible and the port number it uses for the service you want to expose.
- Create a port forwarding rule. Access the router’s configuration interface and create a port forwarding rule. This rule will map the external port number to the internal IP address and port number.
- Activate the rule. Save the port forwarding rule and activate it. Once activated, the router will start redirecting incoming traffic on the specified external port to the designated device and port on the internal network.
Here are two examples of creating rules for a router or firewall to enable port forwarding:
Port Forwarding Example 1
Let’s say you want to forward a specific port to a specific device. In this case, it’s port 80 (HTTP) to a web server with the IP address 192.168.1.100. To do this, you would create the following rule:
- Protocol: TCP
- Source: Any
- Destination: Router’s public IP address
- Port: 80
- Forward to: 192.168.1.100
- Port: 80
This rule will tell the router to forward any traffic that is sent to port 80 on its public IP address to port 80 on the web server with the IP address 192.168.1.100.
Port Forwarding Example 2
In this second example, we’ll forward a range of ports to a specific device. Let’s say you want to forward ports 25-26 (SMTP) to a mail server with the IP address 192.168.1.101. To do this, you would create the following rule:
- Protocol: TCP
- Source: Any
- Destination: Router’s public IP address
- Port: 25-26
- Forward to: 192.168.1.101
- Port: 25-26
This rule will tell the router to forward any traffic that is sent to ports 25-26 on its public IP address to ports 25-26 on the mail server with the IP address 192.168.1.101.
Why Is Port Forwarding Important?
Port forwarding is crucial when it comes to networking and gaining access to resources inside private networks. The following are some of the main reasons for port forwarding’s importance:
- Accessing services from outside the local network: Port forwarding allows external users or devices from the internet to access services, applications, or resources hosted on devices within a private network.
- Running specialized applications: Port forwarding ensures the applications can send and receive data through the required ports, enabling them to work correctly.
- Gaming and peer-to-peer connections: Gamers often utilize port forwarding to host game servers or participate in multiplayer games by allowing incoming connections through specific ports.
- Enabling remote management and control: It facilitates remote management of devices like cameras, IoT devices or network-attached storage (NAS) systems within the local network.
- Security and control: It enables selective opening of ports, ensuring that only specific services or applications are accessible, thereby reducing the risk of unauthorized access.
- Flexibility in network configuration: Port forwarding provides flexibility in network configuration, allowing users to customize how incoming traffic is directed and which devices or services are reachable from outside the local network.
Prerequisites for Port Forwarding
Through the process of port forwarding, incoming network traffic is redirected from one router or firewall port to another port on a particular local network device. There are a few requirements and things to keep in mind before setting up port forwarding:
- Access to router configuration: You must have administrative access to the router or gateway device responsible for managing network traffic. Typically, this involves accessing the router’s web-based interface via a web browser.
- Static IP address or DHCP reservation: It’s recommended to assign a static IP address to the device within the local network that will receive the forwarded traffic. Alternatively, use DHCP reservation to ensure the device consistently gets the same IP address from the router's DHCP server.
- Understanding the service and port numbers: Identify the service or application for which you want to set up port forwarding. Different services and applications use specific port numbers (e.g., HTTP uses port 80, FTP uses port 21, SSH uses port 22).
- Security considerations: Assess the security implications of opening specific ports to incoming traffic. Only forward ports that are necessary for the intended service or application, and avoid exposing unnecessary ports to minimize security risks.
- Router’s interface and port forwarding settings: Understand the terminology and options related to port forwarding in the router’s settings, such as internal and external ports, protocols (TCP/UDP), and the target device’s IP address.
- Checking firewall settings: Ensure that the router’s firewall or any software firewall on the target device does not block incoming connections to the port being forwarded.
- Connectivity: After configuring port forwarding, test the connectivity from an external network to ensure that the service or application is accessible as intended.
Local Port Forwarding
When a user needs to access a resource or service located on a remote server but is unable to do so directly because of firewall settings, network configurations or private network limitations, local port forwarding is utilized.
This involves using a SSH to establish a secure tunnel between a local machine (the client) and a remote server. It allows users to access services or resources on the destination server that are otherwise inaccessible because of firewall settings or network limitations.
To establish local port forwarding, the user initiates an SSH connection to the remote server with the -L
option followed by the forwarding specifications. The syntax for setting up local port forwarding is:
ssh -L [local_port]:[destination_address]:[destination_port] [username]@[ssh_server]
For example, suppose a user wants to access a web server (port 80) located on a remote server with IP address 192.168.1.100, but direct access to port 80 is blocked. The user can use local port forwarding to redirect local port 8080 to the remote server’s port 80.
Command:
ssh -L 8080:192.168.1.100:80 user@remote_server
Remote Port Forwarding (Reverse Tunneling)
Remote port forwarding, also known as reverse tunneling, is used when a user needs to allow external access to a service or application hosted on their local machine, typically behind a firewall or router, and make it accessible to a service or application running on a remote server.
This technique, which is also called reverse tunneling, is used to create a secure connection between a remote server and a local computer or device. Remote port forwarding reroutes traffic from a specified port on the remote server to a designated port on the local machine. This is in contrast to local port forwarding, which forwards data from a local machine to a remote server.
To initiate remote port forwarding, the user configures an SSH connection to the remote server with the -R
option followed by the forwarding specifications. The syntax for setting up remote port forwarding is:
ssh -R [remote_port]:[destination_address]:[local_port] [username]@[ssh_server]
For example, suppose a user wants to allow access to a web server (running on port 8080) hosted on their local machine (with private IP 192.168.1.10) from a remote server with public IP 123.45.67.89. The user can use remote port forwarding to redirect traffic from the remote server’s port 80 to their local machine’s port 8080.
Command:
ssh -R 80:192.168.1.10:8080 [email protected]
Dynamic Port Forwarding
Dynamic port forwarding enables users to create a secure tunnel between their local machine and a remote SSH server, turning the SSH server into a proxy server.
This technique enables users to establish a dynamic SOCKS proxy over an SSH connection. Dynamic port forwarding creates a general-purpose encrypted tunnel that can redirect traffic from many ports and applications over the SSH connection. This is different from local and remote port forwarding, which redirects specific ports to specific destinations.
Dynamic port forwarding is used for a variety of purposes. Such as: Accessing blocked websites or services, bypassing censorship and protecting your privacy. When you use dynamic port forwarding, your traffic is encrypted and routed through the SSH server, which makes it more difficult for third parties to track or intercept your activity.
To initiate dynamic port forwarding, the user configures an SSH connection to the remote server with the -D
option followed by a chosen local port number.
The syntax for setting up dynamic port forwarding is:
ssh -D [local_port] [username]@[ssh_server]
After initiating the SSH connection with dynamic port forwarding, a SOCKS proxy is created on the specified local port (e.g., 1080) on the client machine. Applications or services on the client machine can be configured to use this SOCKS proxy (localhost:port)
as a gateway to route their network traffic through the SSH tunnel to the remote server.
The SSH server forwards the traffic to the final destination addresses, acting as a mediator for all the connections initiated through the SOCKS proxy. Dynamic port forwarding in SSH provides a versatile method for securely tunneling traffic from multiple applications or services through an encrypted connection to a remote SSH server.
Security Concerns of Port Forwarding
Although port forwarding is a helpful tool for connecting to distant devices and services, if it isn’t done appropriately, it may cause security issues. The following are the primary safety concerns with port forwarding:
- Unauthorized access: Attackers may use exposed ports to obtain unauthorized access to your devices and data. This might result in malware infestations, data breaches or even compromising your whole network.
- Denial-of-service attacks: Attackers can target open ports with Denial-of-Service (DoS) attacks, overwhelming the devices and making them unavailable to legitimate users. This can disrupt operations and cause significant downtime.
- Malware installation: Attackers can use port forwarding vulnerabilities to install malware on your devices, allowing them to control your devices and steal data. This can lead to identity theft, financial losses and reputation damage.
- Misconfigurations and vulnerabilities: Improper port forwarding configurations or vulnerabilities in the services you expose can create exploitable weaknesses that attackers can leverage to gain access to your network.
- Increased attack surface: By opening specific ports to the internet, you are essentially creating entry points for potential attackers. Each open port represents a potential vulnerability that can be exploited if not properly secured.
There are a few steps you can take to mitigate the security risks associated with port forwarding. These include:
- Implementing strong authentication mechanisms, such as multi-factor authentication (MFA), for services accessible through forwarded ports.
- Regularly reviewing and updating port forwarding rules and closing unnecessary or unused ports.
- Using firewall rules to limit access to forwarded ports only to trusted IP addresses or ranges.
- Employing intrusion detection/prevention systems (IDS/IPS) to monitor and detect suspicious activities on forwarded ports.
Applications of SSH Port Forwarding
SSH port forwarding is a flexible method that lets you encrypt legacy apps, get around firewalls and safely access remote resources. By extending connectivity options beyond standard methods, SSH port forwarding makes it possible to effortlessly access resources that might not be available otherwise. It empowers users to navigate restricted networks, bypass firewalls, and circumvent geographical limitations.
As for some of its significant applications, SSH port forwarding can:
- Enable users to securely access devices and services running on a private network from anywhere on the internet. This is particularly useful for remote work, accessing home devices while away, or managing servers remotely
- Add encryption to legacy applications that do not support secure communication protocols. This can help protect your data from interception and eavesdropping when using these applications over public networks.
- Let users get outside firewalls and access resources that your network’s security policies might be blocking. This can be useful for testing apps, resolving network problems, and getting access to geo-restricted material.
- Be used to establish virtual private network (VPN) connections, allowing you to securely connect to a remote network as if you were physically present.
- Allow users to test and debug web applications running on remote servers.
- Be used to securely access remote file shares, such as network file systems (NFS) or server message block (SMB) shares, over an encrypted connection.
- Help bypass restrictions and access blocked websites or services in countries with internet censorship or surveillance.
Frequently Asked Questions
What is SSH port forwarding?
SSH port forwarding, or SSH tunneling, is a secure network method where data is transmitted over an encrypted SSH connection between devices, such as a local machine and a remote server. SSH port forwarding applies the Secure Shell (SSH) Protocol, a network communication protocol that enables remote access and communication between computers over an encrypted connection.
What are the different types of SSH port forwarding?
There are three types of SSH port forwarding.
- Local Port Forwarding: Redirects traffic from a local port on the client machine to a specified port on a remote server through an SSH connection.
- Remote Port Forwarding: Redirects traffic from a port on the remote server to a specified port on the client machine, allowing external access to local services.
- Dynamic Port Forwarding: Creates a dynamic SOCKS proxy on the client machine, enabling multiple applications to securely route their traffic through the SSH connection.
How secure is SSH port forwarding?
SSH port forwarding is generally considered secure as it encrypts traffic passing through the SSH tunnel, providing a secure channel for data transmission between the client and the SSH server.