Understanding SSH Port Forwarding Types

2 min read Data Protection & Compliance

Understanding SSH Port Forwarding Types

SSH supports three distinct types of port forwarding, each serving different use cases and presenting unique security considerations. Understanding these mechanisms enables informed decisions about when and how to deploy port forwarding securely.

Local Port Forwarding creates a secure tunnel from the client to a remote destination through the SSH server. This technique commonly provides encrypted access to services behind firewalls or on private networks:

# Basic local port forwarding syntax
ssh -L [local_addr:]local_port:remote_host:remote_port user@ssh_server

# Example: Access remote database through SSH tunnel
ssh -L 3306:database.internal:3306 user@jumphost.example.com

# Bind to specific local interface
ssh -L 127.0.0.1:8080:webapp.internal:80 user@gateway.example.com

# Multiple forwards in single connection
ssh -L 3306:db.internal:3306 \
    -L 6379:redis.internal:6379 \
    -L 5432:postgres.internal:5432 \
    user@bastion.example.com

Remote Port Forwarding (reverse tunneling) exposes local services through the remote SSH server, useful for providing access to services behind NAT or firewalls:

# Basic remote port forwarding syntax
ssh -R [remote_addr:]remote_port:local_host:local_port user@ssh_server

# Example: Expose local web server through remote host
ssh -R 8080:localhost:80 user@public-server.example.com

# Bind to all interfaces on remote (requires GatewayPorts yes)
ssh -R 0.0.0.0:8080:localhost:80 user@public-server.example.com

# Persistent reverse tunnel with autossh
autossh -M 0 -f -N -R 8080:localhost:80 \
    -o "ServerAliveInterval 30" \
    -o "ServerAliveCountMax 3" \
    user@public-server.example.com

Dynamic Port Forwarding creates a SOCKS proxy through the SSH connection, providing flexible forwarding for multiple destinations:

# Create SOCKS proxy
ssh -D 1080 user@proxy-server.example.com

# Bind to specific interface
ssh -D 127.0.0.1:1080 user@proxy-server.example.com

# Use with applications
curl --socks5 localhost:1080 http://internal-site.example.com