Port forwarding with ssh tunneling

Many of you would have used ssh at some point to control remote servers. It's great and provides an encrypted connection for remote administrations. But you can also use this encrypted tunnel to transfer data from one port to another. And the best thing is data will be transferred all encrypted. Let's see how this works. You can read man ssh for more details and options.

Local Port Forwarding

Suppose you are on a local network behind some firewall. You want to connect to a remote website or a service at some port but that is blocked in your network. But you have ssh access to your server which is outside your network and can access those remote services. In this case you can forward your local port to remote port via ssh. Command -
$ ssh -L 6969:remote:80 user@ssh_server.com -f -N
In this command-
  • '-L'          :  specifies local port forwarding,
  • '6969'     :  is the local port on your machine,
  • 'remote':  is the address of remote server you want to connect to,
  • '80'          :  Remote port you want to connect to,
  • 'user@ssh_server.com' : Your ssh server.
  • '-f'          :  Requests ssh to go to background just before command execution,
  • '-N'          :  Do not execute a remote command.
What's happening here is ssh starts a listener on your machine on port 6969.  Then it connects to the ssh server. Now when you connect to localhost:6969, the request first goes through encrypted tunnel to ssh server and then ssh server requests the remote server and sends response back to you. Hence there's a two way tunnel. This way you can connect to remote port through the tunnel and bypass the firewall restrictions.

Socks5 Proxy

You can use ssh tunnel as socks5 proxy too. Command -
$ ssh -D 6969 user@ssh_server.com -f -N
  • '-D'          :  specifies socks5 tunnel
  • '6969'     :  is the local port on your machine,
  • '-f'          :  Requests ssh to go to background just before command execution,
  • '-N'          :  Do not execute a remote command.
  • 'user@ssh_server.com' : Your ssh server.
Now open up your browser settings and in networks section you will see option to add socks5 proxy. Add it as localhost:6969. And you have a working socks5 proxy.

Remote Port Forwarding

This can be really useful in many cases like when you want to host something locally or even waiting for a reverse shell. Most of the time we are behind some NAT or can't do port forwarding from router. This will help you share your local server with the internet. You can read more on networks and port forwarding here. So when you are behind a NAT, your server can't be accessed from internet without port forwarding. But if you have a ssh server, you can setup a listener on ssh server which will forward all requests to your local server. Hence your local server can be accessed from internet. For this you need to change some settings on your ssh server. Open
sudo nano /etc/ssh/sshd_config
and change option for GatewayPorts to yes.  And restart ssh service.
$ sudo systemctl restart sshd
$ sudo service ssh restart
depending on your distribution. Then the command at your localhost-
$ ssh -R 8080:localhost:6969 user@ssh_server.com -N
  • '-R'          :  specifies remote port forwarding
  • '8080'     :  is the port on ssh server
  • '6969'     :  port on which listener is running on your localhost
  • '-N'          :  Do not execute a remote command.
  • 'user@ssh_server.com' : Your ssh server.
This command starts listener on port 8080 on ssh server and forwards all requests on that to your 'localhost:6969' where your server you want to share would be listening

Now you can host a server on localhost and also receive your reverse shells at 'ssh_server.com:8080' depending on network configuration.


Popular Posts