patternbashModerate
SSH Tunneling: Local, Remote, and Dynamic Port Forwarding
Viewed 0 times
ssh tunnelport forwardingsocks proxybastion hostjump hostproxyjumpautossh
linux
Error Messages
Problem
Need to access a service on a remote network that is not directly reachable, or expose a local service through a remote server.
Solution
Use SSH port forwarding flags:
-L for local, -R for remote, -D for dynamic (SOCKS proxy).# Local forward: access remote DB on localhost:5433
ssh -L 5433:db-internal:5432 user@bastion-host
# Keep alive in background
ssh -fNL 5433:db-internal:5432 user@bastion-host
# Remote forward: expose local port 3000 as remote port 8080
ssh -R 8080:localhost:3000 user@remote-host
# Dynamic SOCKS5 proxy on local port 1080
ssh -D 1080 -fN user@remote-host
# Multi-hop: forward through a jump host
ssh -J jumpuser@bastion user@internal-hostWhy
SSH tunnels encrypt traffic that would otherwise be plaintext and allow bypassing firewall restrictions. The
-N flag prevents executing a remote command; -f sends to background.Gotchas
- Remote forwarding (-R) requires
GatewayPorts yesin sshd_config to bind to non-loopback interfaces on the server. - The tunnel dies when the SSH session disconnects — use autossh or systemd to keep it alive.
- Some firewalls inspect and block SSH tunnels — GFW-style DPI can detect them.
- ProxyJump (-J) is the modern replacement for the old ProxyCommand hack.
Revisions (0)
No revisions yet.