304

I feel confused about ssh port forwarding and the difference between ssh local and remote port forwarding. Could you please explain them in detail and with examples? Thanks!

user2886717
  • 3,419

2 Answers2

764

I have drawn some sketches

ssh tunnel starting from local

ssh tunnel starting from remote

Introduction

  1. local: -L Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

    ssh -L sourcePort:forwardToHost:onPort connectToHost means: connect with ssh to connectToHost, and forward all connection attempts to the local sourcePort to port onPort on the machine called forwardToHost, which can be reached from the connectToHost machine.

  2. remote: -R Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.

    ssh -R sourcePort:forwardToHost:onPort connectToHost means: connect with ssh to connectToHost, and forward all connection attempts to the remote sourcePort to port onPort on the machine called forwardToHost, which can be reached from your local machine.

Examples

Example for 1

ssh -L 80:localhost:80 SUPERSERVER

You specify that a connection made to the local port 80 is to be forwarded to port 80 on SUPERSERVER. That means if someone connects to your computer with a webbrowser, he gets the response of the webserver running on SUPERSERVER. You, on your local machine, have no webserver running.

Example for 2

ssh -R 80:localhost:80 tinyserver

You specify, that a connection made to the port 80 of tinyserver is to be forwarded to port 80 on your local machine. That means if someone connects to the small and slow server with a webbrowser, he gets the response of the webserver running on your local machine. The tinyserver, which has not enough diskspace for the big website, has no webserver running. But people connecting to tinyserver think so.

More examples

Other things could be: The powerful machine has five webservers running on five different ports. If a user connects to one of the five tinyservers at port 80 with his webbrowser, the request is redirected to the corresponding webserver running on the powerful machine. That would be

ssh -R 80:localhost:30180 tinyserver1
ssh -R 80:localhost:30280 tinyserver2
etc.

Or maybe your machine is only the connection between the powerful and the small servers. Then it would be (for one of the tinyservers that play to have their own webservers):

ssh -R 80:SUPERSERVER:30180 tinyserver1
ssh -R 80:SUPERSERVER:30280 tinyserver2
etc
Community
  • 1
erik
  • 17,269
  • 1
    Thank you for your detailed answers. But I still feel confused about the data flow. In example 1, someone connects to my computer and send a request to me, then I send the request to SUPERSERVER, then SUPERSERVER send me the response data and I send the data to someone? right? – user2886717 Feb 20 '14 at 02:23
  • 3
    The request is sent to your port 80. Your ssh is listening on that port and takes the data (the request) and moves it secretly through your ssh connection to the SUPERSERVER’s sshd. The SUPERSERVER sshd resends this data (request) to port 80 of localhost (which is SUPERSERVER, because localhost refers to the local machine). Then all the way back. Maybe I should add a drawing. – erik Feb 20 '14 at 14:02
  • which software did you use for those sketches? – sivann Mar 23 '15 at 11:38
  • I used the open source vector drawing tool called Inkscape and my mice (well, actually it is a trackball: Marble FX from Logitech). – erik Mar 24 '15 at 22:02
  • 109
    Excellent! These sketches communicate way more than the 10+ blog posts I just read, and much faster. – devth Oct 07 '15 at 15:01
  • 2
    So when someone is behind a firewall that forbids access to, say, bbc.co.uk, they can create a remote port forward to bypass this restriction, right? This is a nice answer but I feel it could be improved by stating the problems it tries to solve – Maria Ines Parnisari Nov 08 '16 at 13:44
  • 2
    So calling SUPERSERVER$ ssh -R 80:SUPERSERVER:30180 tinyserver is in fact equal to calling tinyserver$ ssh -L 80:localhost:30180 SUPERSERVER I mean it achieves the same thing - all connections to tinyserver:80 will be forwarded to SUPERSERVER:30180, right? – redacted May 31 '17 at 08:33
  • 2
    @RobinNemeth: Yes, both local and remote forwarding achive the same if started from the remote or local machine. But your first command could be even easier, because if you start it from SUPERSERVER you can just reference to it’s localhost (the localhost of SUPERSERVER). I.e. SUPERSERVER$ ssh -R 80:localhost:30180 tinyserver (my third image). – erik Jun 06 '17 at 01:16
  • 2
    What about -D? – CMCDragonkai May 09 '18 at 01:44
  • 2
    I found the graphics hard to understand. But the text explanation below was great. –  Nov 30 '18 at 14:25
  • @CMCDragonkai -D is like -L but instead of fowarding to a specific "faraway" host/port, SSH acts as a SOCKS proxy to the remote host. – augurar Dec 06 '18 at 01:54
  • These images look familiar: https://en.wikipedia.org/wiki/Tunneling_protocol#SSH – Thomas Hirsch Aug 27 '19 at 15:56
  • 2
    @ThomasHirsch And if you look at the description of the image and the date, you’ll see, that someone redid my graphics – with worse colors, more rectangular but less beautiful and intuitive. And much lower quality (png raster graphics instead of svg vector graphics). And, unfortunately, the wording in the image is worse, so that you don’t know which is your host where you execute the command. It’s a pity to see this. Poor people in the world who didn’t find this stackexchange question. See here for other tries: https://commons.wikimedia.org/wiki/Category:SSH – erik Aug 28 '19 at 16:34
  • @erik I find explanation of example #1 quite confusing. Shouldn't it say

    "You specify that a connection made to the local port 8080 is to be forwarded to port 80 on SUPERSERVER. That means if someone connects to your computer with a webbrowser, using port 8080, he gets the response of the webserver running on SUPERSERVER on port 80. You, on your local machine, have no webserver running."

    ?

     – marxin Mar 03 '20 at 16:06
  • @erik Ah i see what happened there. someone edited your post and the changes they added does not seem to be correct. its quite sad it went through – marxin Mar 03 '20 at 16:09
  • @marxin: Thanks for your comment. I think the images makes it all clear. I don’t know why complicated written examples have to be wrongly corrected. I made a rollback. – erik Mar 05 '20 at 15:50
  • I love you forever Erik. – wizofe Apr 22 '20 at 12:30
  • It is May of 2021 and these sketches are still the best things in the world. – wheeler May 10 '21 at 03:33
  • Love your drawing, use them every once a while! Would be great if your could add the ssh_config lines to your drawings. – milkpirate Sep 02 '21 at 13:22
  • For a realife example of ssh -L 123:farawayhost:456 remotehost, see What is ssh -L 123:farawayhost:456 remotehost? . – Rick Nov 02 '21 at 02:36
  • Thank you for the nice explanation :) – Lukas Koestler Jan 07 '23 at 20:53
33

Local Port forwarding

ssh creates an additional local port which it will forward to a port on the remote system.

example 

ssh -L 8080:127.0.0.1:80 user@webserver

Then in your browser on local use URL http://localhost:8080/

it will connect to local machines port 8080, which ssh will forward on to remote ssh, and it will then make a request to 127.0.0.1:80. Note 127.0.0.1 is actually the remote server's localhost, but it could have been a host/IP available at the remote machine's network.

Remote forward

Asks ssh to create a listening port on the remote machine which it will forward back (Reverse) to the local ssh to forward on.

ssh -R 10123:127.0.0.1:123 user@webserver

So, after ssh connects to webserver, the remote ssh creates and lsitens on a port 10123. A process on webserver connecting to 10123, ssh will pick it up and send it back to the local machine's ssh, which sends it on to 127.0.01:123 port.

X Tian
  • 10,463