Master SSH Secure Tunnels: Local, Remote, and Dynamic Port Forwarding Explained

1.1 SSH Secure Tunnel (Part 1): Local Port Forwarding

When host1 cannot directly communicate with host2 but both can reach an intermediate host3, SSH local port forwarding creates a secure tunnel that maps a remote service (e.g., host2:80) to a local port on host1.

ssh -L [local_bind_addr:]local_port:remote:remote_port middle_host

Example: # ssh -g -L 2222:host2:80 host3 The -L option tells SSH to listen on port 2222 on host1 and forward any traffic to host2’s port 80 via host3. The -g flag allows external hosts to connect to the forwarded port; without it only localhost can access the tunnel.

Binding to a specific address is possible: # ssh -L 172.16.10.5:2222:host2:80 host3 Now host1 (or any host that can reach 172.16.10.5) can use 172.16.10.5:2222 to reach host2:80. It is recommended to always use -g when the forwarded service should be reachable beyond the local machine.

1.2 SSH Secure Tunnel (Part 2): Remote Port Forwarding

Remote port forwarding reverses the direction: a port on the remote host (host1) is bound and forwarded to a service on another host (host2) through the intermediate host3. ssh -R [bind_addr:]remote_port:host:port remote_host Example executed on host3: # ssh -R 22333:host2:80 host1 This creates a listening socket on host1:22333 that forwards traffic to host2:80 via the secure tunnel to host3. By default sshd binds remote‑forwarded ports to the loopback address; to expose them on all interfaces, enable GatewayPorts in /etc/ssh/sshd_config and use a wildcard bind address: # ssh -g -R *:22333:host2:80 host1 Recommended options for both local and remote forwarding are -f (run in background), -N (no remote command), and -g (allow external connections). A concise command combining them:

# ssh -fgN -R 22333:host2:80 host1

1.3 SSH Secure Tunnel (Part 3): Dynamic Port Forwarding (SOCKS Proxy)

Dynamic port forwarding lets SSH act as a SOCKS4/5 proxy, automatically routing traffic based on the application protocol of the client. ssh -D [bind_addr:]port remote_host Example on host1: # ssh -Nfg -D 2222 host3 SSH opens a local SOCKS proxy on port 2222. Any client configured to use host1:2222 (e.g., a web browser, QQ, or other tools) will have its traffic forwarded through the SSH tunnel to host3, which then accesses the appropriate external service (HTTP, SSH, etc.). This method avoids the need for multiple static port forwards.

Both the SSH client and server must support SOCKS4/5; some client tools (e.g., SecureCRT, PuTTY) provide UI options to enable this proxy without using the command line.