Port Forwarding

Port Forwarding

SSH port forwarding allows you to access services on a remote server (or a server reachable from it) through an encrypted SSH connection. This is essential for accessing databases, monitoring dashboards, and internal APIs that are protected by firewall rules and not directly reachable from your workstation. Port forwarding is the "secure tunnel" that makes remote administration of private network services practical.

Use case: accessing a database behind a firewall

Scenario: MySQL database on prod-db (10.0.1.20) is firewalled
  - Firewall blocks direct TCP to 10.0.1.20:3306
  - Only port 22 (SSH) is open on the jump server

Solution: SSH local port forward
  Your laptop:3307 ────→ [SSH to jump-server] ────→ 10.0.1.20:3306

  mysql -h 127.0.0.1 -P 3307 -u admin -p
  (connects to prod DB through the encrypted tunnel)

Setting up a local port forward

# Basic syntax: ssh -L [bind_address:]local_port:remote_host:remote_port user@ssh_server

# Access MySQL on a server only reachable via SSH:
ssh -L 3307:localhost:3306 irfan@ssh-server
# Now: mysql -h 127.0.0.1 -P 3307 connects to ssh-server's MySQL

# Access a service on a DIFFERENT host behind the SSH server:
ssh -L 3307:db.internal:3306 irfan@ssh-server
# Now: mysql -h 127.0.0.1 -P 3307 connects to db.internal:3306 via ssh-server

# Run tunnel in background without remote shell (-f = background, -N = no command)
ssh -fNL 3307:db.internal:3306 irfan@ssh-server

# Bind on all interfaces (accessible to other hosts on your LAN too):
ssh -L 0.0.0.0:3307:db.internal:3306 irfan@ssh-server

Verifying the tunnel is working

# Check the tunnel process is running
ps aux | grep "ssh.*3307"

# Verify the local port is listening
ss -tlnp | grep 3307

# Test connectivity through the tunnel
nc -zv 127.0.0.1 3307

# If connecting to a web service:
curl http://127.0.0.1:8080    # Test HTTP through tunnel

Forwarding through multiple hops

# If you need to reach a service through TWO SSH hops:
# Your machine → bastion → internal-server → database

# Method 1: ProxyJump in ~/.ssh/config handles it automatically:
Host internal-server
    HostName 10.0.1.10
    ProxyJump bastion

# Then: ssh -L 3307:db:3306 internal-server
# Creates tunnel: you:3307 → bastion → internal-server → db:3306

# Method 2: Manual two-hop tunnel (without config file):
# Step 1: Forward to bastion
ssh -fNL 2222:internal-server:22 irfan@bastion

# Step 2: Forward through the first tunnel to the DB
ssh -fNL 3307:db:3306 -p 2222 irfan@127.0.0.1

Enabling port forwarding in sshd_config

# Port forwarding is enabled by default on Ubuntu SSH servers
# To disable it on hardened servers where it should not be used:
# In /etc/ssh/sshd_config:
AllowTcpForwarding no    # Disable all TCP port forwarding
AllowStreamLocalForwarding no  # Disable UNIX socket forwarding

# Enable only for specific users (override the global disable):
Match User deploy
    AllowTcpForwarding yes

# GatewayPorts: allow remote-forwarded ports to bind on all interfaces
# (disabled by default, keep disabled unless specifically needed)
GatewayPorts no

Conclusion

SSH local port forwarding (-L) is the standard way to access services in a private network: run ssh -fNL localport:remote_host:remoteport user@ssh_server in the background, then connect to localhost:localport as if the service were local. Verify with ss -tlnp | grep localport that the tunnel is listening. For persistent tunnels that survive network interruptions, use autossh. Disable AllowTcpForwarding in sshd_config on servers where tunneling creates a security risk.