Master SSH Secure Tunnels: Local, Remote, and Dynamic Port Forwarding Explained
This guide walks through SSH secure tunneling techniques—including local, remote, and dynamic port forwarding—detailing command syntax, option usage, binding address considerations, and practical examples for accessing otherwise unreachable services through encrypted tunnels.
1.1 SSH Secure Tunnel (Part 1): Local Port Forwarding
When host1 cannot directly communicate with host2 but both can reach host3, you can forward host2's HTTP port through host3 using SSH local port forwarding.
ssh -L [local_bind_addr:]local_port:remote:remote_port middle_hostExample on host1: # ssh -g -L 2222:host2:80 host3 The -L option creates a listening port (2222) on host1 that forwards traffic to host2:80 via host3. The -g flag allows external hosts to connect to the forwarded port; without it only localhost can access the port.
You can bind the forwarded port to a specific address, e.g.: # ssh -L 172.16.10.5:2222:host2:80 host3 It is recommended to run the tunnel in the background with -f and avoid opening an interactive session with -N:
# ssh -f -N -g -L 22333:host2:22 host31.2 SSH Secure Tunnel (Part 2): Remote Port Forwarding
Remote port forwarding sends traffic received on a remote host back to the local network. Syntax:
ssh -R [bind_addr:]remote_port:host:port remote_hostFrom host3, forward host2's HTTP port to host1: # ssh -R 22333:host2:80 host1 This creates a listening socket on host1:22333 that forwards data through the SSH tunnel to host3, which then contacts host2:80. By default sshd binds remote forwards to the loopback address; to expose them externally enable GatewayPorts in sshd_config and use -g or * as the bind address: # ssh -g -R *:22333:host2:80 host1 Recommended options are -g, -f, and -N:
# ssh -fgN -R 22333:host2:80 host11.3 SSH Secure Tunnel (Part 3): Dynamic Port Forwarding (SOCKS Proxy)
Dynamic forwarding lets SSH act as a SOCKS4/5 proxy, automatically routing traffic based on the application protocol. Syntax: ssh -D [bind_addr:]port remote_host Example on host1: # ssh -Nfg -D 2222 host3 After running this command, host1 listens on port 2222 for SOCKS connections. Configuring a client (e.g., a web browser or QQ) to use host1:2222 as a SOCKS proxy forwards its traffic through the SSH tunnel to host3, which then accesses the internet or the appropriate service on host2.
Both the built‑in SSH client and third‑party tools such as SecureCRT or PuTTY can create dynamic tunnels; the same -f, -N, and -g options are recommended.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.