SSH Port Forwarding

Use SSH to forward port between machines Modified: 2024-09-28 23:03:28 Created: 2023-05-27 01:29:14 Tags: #linux #ssh #port forwarding

S(ecure)SH(hell) is widely used for server connection. Beside singe connection, here are many details we need to know:

  • port forwarding
  • client options
  • server options

Port forwarding allows you to redirect network traffic from one port on a local machine to another port on a remote machine or vice versa.

1. Port Forwarding

Port forwarding is the most common funciton we use. Basically there are three:

  1. Local port forwarding
  2. Remote port forwarding
  3. Dynamic port forwarding

1.1 Local Port Forwarding

Local port forwarding is a feature of SSH that allows you to redirect network traffic from a port on your local machine to a specific destination port on a remote server. It enables you to access services or resources on the remote server as if they were running on your local machine.

ssh -L <local_port>:<destination_host>:<destination_port> <username>@<SSH_server>

In the above command:

is the port number on your local machine where you want to redirect the traffic. is the hostname or IP address of the remote machine where you want to forward the traffic. is the port number on the remote machine to which you want to forward the traffic. is your username on the SSH server. is the hostname or IP address of the SSH server.

Example:

Let's say you want to forward local traffic from port 8080 to a web server running on a remote machine with the IP address 192.168.1.100 on port 80. You can use the following command:

ssh -L 8080:192.168.1.100:80 [email protected]

This command will establish an SSH connection to ssh-server.example.com and forward any traffic received on your local port 8080 to the remote machine's port 80.

1.2 Remote Port Forwarding

Remote port forwarding is a feature of SSH that allows you to redirect network traffic from a port on a remote server to a specific destination port on your local machine or another machine on your local network. It enables you to expose services or resources running on your local machine to the remote server's network.

ssh -R <remote_port>:<destination_host>:<destination_port> <username>@<SSH_server>

In the above command:

is the port number on the remote machine where you want to redirect the traffic. is the hostname or IP address of the machine where you want to forward the traffic from the remote machine. is the port number on the destination machine to which you want to forward the traffic. is your username on the SSH server. is the hostname or IP address of the SSH server. Remote port forwarding allows you to access services on the remote machine from your local machine.

Make sure you have SSH access to the server and the necessary permissions to establish port forwarding.

1.3 Dynamic Port Forwarding

Dynamic port forwarding allows you to create a SOCKS proxy on your local machine that routes traffic through an SSH tunnel and exits from the remote server.

ssh -D <local_port> [email protected]

Replace with the port number you want to use for the SOCKS proxy. By default, it will bind to localhost.

Once the SSH connection is established, configure your applications (e.g., web browser) to use the SOCKS proxy with the following settings:

SOCKS Host: localhost SOCKS Port: (the same port specified in the SSH command) This allows you to route your network traffic through the remote server and access resources as if you were on that network.

1.4 Serer Configuration

In order to use port forwarding, we need to modify the sshd_config file in /etc/ssh/sshd_config. 

AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes

2. Client Options

2.1 Options in command line

Here are some additional SSH options that you can use to customize and enhance your SSH connections:

  1. -C: Enables compression of data during the SSH connection to improve performance over slow network connections. It compresses the data before sending it over the network.
  2. -F: Specifies an alternative SSH configuration file instead of the default ~/.ssh/config. This allows you to use a custom configuration file for specific SSH connections.
  3. -N: Prevents executing a remote command when establishing the SSH connection. This option is useful when you only need to set up port forwarding or establish a secure tunnel without running a remote command.
  4. -T: Disables pseudo-terminal allocation on the remote server. This is useful when you want to run SSH without a terminal, such as for executing SSH commands in scripts.
  5. -q: Quiet mode. Suppresses most warning and diagnostic messages, making the SSH connection quieter and suitable for scripting purposes.
  6. -4 and -6: These options force the SSH client to use IPv4 (-4) or IPv6 (-6) addresses, respectively. By default, SSH uses both IPv4 and IPv6.
  7. -L: Specifies local port forwarding, allowing you to forward traffic from a local port on your machine to a remote server.
  8. -R: Specifies remote port forwarding, allowing you to forward traffic from a remote port on the server to a local machine.
  9. -D: Specifies dynamic port forwarding, also known as SOCKS proxy. It allows you to create a local SOCKS proxy on your machine, enabling you to route traffic through the SSH tunnel.
  10. -o: Allows you to specify configuration options directly on the command line. For example, you can use -o "User=username" to specify the username to use for the SSH connection.
  11. -v, -vv, -vvv: Increases the verbosity level of the SSH client. Specifying -v increases the level of detail in the debug output, while -vv and -vvv provide even more detailed debugging information.

These options offer additional control and flexibility when using the SSH client (ssh) to connect to remote servers. Remember to refer to the SSH manual (man ssh) for a comprehensive list of options and their descriptions, as well as their specific usage details.

2.2 Client Configure File

These configures could be wrote down to a file.

3. Server Configure

The sshd_config file is the main configuration file for the OpenSSH server (sshd). It is typically located in the /etc/ssh/ directory on most Linux-based systems. The sshd_config file contains various settings that control the behavior and functionality of the SSH server. Here are some key configurations you may find in the sshd_config file:

  1. Port: Specifies the port number on which the SSH server listens for incoming connections. The default is port 22, but it can be changed to enhance security.
  2. PermitRootLogin: Determines whether the root user is allowed to log in directly via SSH. It can be set to values such as yes, no, or prohibit-password.
  3. PasswordAuthentication: Specifies whether password-based authentication is allowed for SSH connections. It can be set to yes or no. Disabling password authentication and using key-based authentication is generally recommended for improved security.
  4. PubkeyAuthentication: Enables or disables public key authentication. It should be set to yes to allow users to authenticate using SSH keys.
  5. AllowUsers/AllowGroups/DenyUsers/DenyGroups: These directives control which users or groups are allowed or denied access to the SSH server. You can specify individual usernames or group names.
  6. PermitEmptyPasswords: Determines whether empty passwords are allowed for authentication. It should be set to no to disallow empty passwords.
  7. ChallengeResponseAuthentication: Enables or disables challenge-response authentication. It should be set to no if you want to disable this authentication method.
  8. AllowTcpForwarding/AllowStreamLocalForwarding/AllowAgentForwarding: These options control whether specific types of port forwarding are allowed. They can be set to yes or no to enable or disable forwarding capabilities.
  9. LoginGraceTime: Specifies the time in seconds during which the SSH server allows authentication before closing the connection if the user hasn't successfully logged in. It can help prevent brute-force attacks.
  10. TCPKeepAlive: Determines whether TCP keep-alive messages are sent to keep SSH connections alive. It should be set to yes for most cases.

These are just a few examples of the many configuration options available in the sshd_config file. It's important to note that modifying the sshd_config file requires root or administrative privileges. After making changes to the file, you need to restart the SSH server (sshd) for the new configuration to take effect.

Summary

In this article, we discussed about:

  1. SSH port forwarding
  2. Client Options
  3. Server Configurations