SSH tunneling

Published by Tito on

SSH (Secure Shell) tunneling is a technique that lets you securely forward network traffic through an encrypted SSH connection. It’s essentially a way to “pipe” otherwise insecure or restricted traffic through an SSH session, protecting it from eavesdropping and bypassing firewalls or NAT restrictions.

Pratical Example

You would like to access in your local workstation to a remote database

# localhost open 27018 and map it with 27017 on remote
ssh -L 27018:localhost:27017 user@remotehost
# if your local workstation cannot access to remote host it is possible to user a bastionhost to proxy the connection using the jump flag
ssh -J user@bastionhost -L 27018:localhost:27017 user@remotehost

Why use SSH tunneling?

  • Encryption: All data forwarded through the tunnel is encrypted by SSH, protecting against packet sniffing.
  • Firewall/NAT traversal: You can bypass port blocks by tunneling traffic over the standard SSH port (usually TCP 22).
  • Access control: Only users with SSH credentials (and keys) can establish the tunnel.
  • Simplicity: Requires nothing more than an SSH client and access to an SSH server.

Three main types of SSH port forwarding

  1. Local Port Forwarding (-L)
    Forwards a port on your local machine through the SSH server to a destination host/port on the remote network. # Syntax: ssh -L <local_port>:<target_host>:<target_port> user@ssh-server.example.com # Example: make a local port 8080 tunnel to remote web server ssh -L 8080:web.internal.example.com:80 alice@ssh-gateway.example.com
    • After connecting, visiting http://localhost:8080 on your laptop reaches http://web.internal.example.com:80 through the SSH gateway.
  2. Remote Port Forwarding (-R)
    Forwards a port on the remote SSH server back to a host/port on your local (client) machine or another machine the client can reach. # Syntax: ssh -R <remote_port>:<target_host>:<target_port> user@ssh-server.example.com # Example: expose a local web server to the internet via the SSH server ssh -R 9000:localhost:3000 alice@ssh-gateway.example.com
    • Now anyone who can reach ssh-gateway.example.com:9000 is forwarded to your laptop’s port 3000.
  3. Dynamic Port Forwarding (-D)
    Creates a local “SOCKS proxy” that dynamically forwards traffic over the SSH connection. # Syntax: ssh -D <local_socks_port> user@ssh-server.example.com # Example: start a SOCKS proxy on port 1080 ssh -D 1080 alice@ssh-gateway.example.com
    • Configure your browser or applications to use SOCKS5 proxy at localhost:1080.
    • Any request sent through that proxy will be routed over SSH to the SSH server, then out to its destination.

How it works under the hood

  1. SSH Control Channel: The SSH client and server establish an encrypted control channel.
  2. Port Binding: Based on the forwarding mode:
    • Local: SSH listens on a local port.
    • Remote: SSH listens on the server’s port.
    • Dynamic: SSH listens locally as a SOCKS server.
  3. Data Transport: When a client connects to the forwarded port, SSH forwards the TCP stream through the encrypted channel, then opens a new connection at the destination, all behind the scenes.

Common use cases

  • Securely accessing internal services (databases, intranets) from outside.
  • Browsing safely on untrusted networks by routing web traffic through your home SSH server.
  • Exposing development servers running on your laptop to team members via a central SSH host.
  • Bypassing geo-restrictions or corporate firewalls by tunneling traffic through a remote server.

Security considerations

  • Authentication: Prefer key-based SSH authentication over passwords.
  • Port restrictions: The server’s SSH daemon (sshd) config may restrict which ports you can forward (AllowTcpForwarding, GatewayPorts, etc.).
  • Firewall rules: Even if SSH allows forwarding, firewalls on the server or target hosts may block the tunneled ports.
  • Monitoring: Tunnels can be used maliciously; audit SSH logs if unexpected tunnels appear.

Summary

SSH tunneling (port forwarding) is a flexible, secure way to move arbitrary TCP traffic through an SSH connection:

  • Local (-L): forward a remote service to your machine
  • Remote (-R): publish a local service on the remote side
  • Dynamic (-D): act as a SOCKS proxy for any TCP service

With a single SSH command you gain encrypted channels, firewall traversal, and fine-grained access control — all using tools available on virtually every UNIX-like system (and most SSH clients on Windows).

Categories: BashServer

Related Posts

Js,Ts,Css

Node multithread

Intro Node.js is primarily single-threaded due to its event-driven, non-blocking I/O architecture, which means it handles tasks asynchronously on a single thread, particularly for I/O operations. However, for CPU-intensive tasks or tasks that benefit from Read more…

Server

Kong timeout management

Kong has 3 different timeout connect_timeout: from kong to the micro. Once is connected then the connection is managed by keep-alive HTTP 1/1 open HTTP/2 can be used any reasonable value under 30000 ms read_timeout: end to Read more…

Bash

Flameshot

Flameshot is a powerful and simple-to-use screenshot software Here a mini guide to install and setup in ubuntu 24.04 LTS, XDG wayland Install Flameshot on startup go to startup application select flameshot and press edit Read more…