SSH Port Forwarding Explained – Local, Remote & Dynamic

Development

Secure Shell (SSH) is a powerful protocol used to securely access and manage network devices over an unsecured network. Beyond its basic function of remote terminal access, SSH offers a versatile feature known as port forwarding. This capability allows administrators and users to redirect network traffic through an encrypted SSH tunnel, adding a layer of security and flexibility to different types of network communications.

SSH port forwarding can be extremely useful for bypassing firewalls, securing communication channels for specific applications, or accessing services on remote servers that are otherwise blocked or inaccessible. There are three common types of SSH port forwarding: Local, Remote, and Dynamic. Each serves distinct use cases and helps resolve complex networking challenges while maintaining robust security.

What is SSH Port Forwarding?

SSH port forwarding involves tunneling network traffic through an SSH session. When you forward a port, SSH listens on a specified port on the local or remote machine and routes data through a secure tunnel to a corresponding port on another machine. This not only ensures privacy and integrity via encryption, but also simplifies many networking scenarios where direct access is limited or unsafe.

Each type of SSH port forwarding serves different goals and leverages unique mechanisms to function. Below, we examine each one in detail.

1. Local Port Forwarding

Local port forwarding allows you to forward a port from your local machine to a remote server through the SSH tunnel. This is useful when you need to access a remote service that is not exposed to the public internet, or is only accessible internally on the server’s network.

For example, suppose you’re working from your laptop and want to securely access a database server accessible only from within a remote company network:

ssh -L 3306:internal-db.company.com:3306 user@remote-server.com

In this command:

  • -L 3306: Listens on port 3306 on your local machine.
  • internal-db.company.com:3306: The destination host and port on the remote network.
  • user@remote-server.com: The SSH server you’re connecting to, which has access to the internal database.

Once the tunnel is established, you can connect to the database using localhost:3306 as if it were running locally. SSH handles the secure transfer of information between your system and the remote database, shielding data from prying eyes.

2. Remote Port Forwarding

Remote port forwarding is the reverse of local port forwarding. It allows you to expose a port on a remote server and have traffic redirected through an SSH connection to a service running on your local machine. This is ideal in situations where you want someone to access a service on your local machine from a remote server, especially when your machine is behind a firewall or NAT that doesn’t allow incoming connections.

Let’s say you have a development web server running on your home computer at port 8080, and you want a remote colleague to access your app from the internet:

ssh -R 9090:localhost:8080 user@remote-server.com

Key components of the command:

  • -R 9090: The remote server will listen on port 9090.
  • localhost:8080: Forward incoming traffic to this address on your local machine.
  • user@remote-server.com: The SSH server exposed publicly.

Once connected, your colleague can browse to http://remote-server.com:9090 and the traffic will securely reach the development server on your local machine. Remote forwarding is commonly used when reverse proxies or VPN solutions are too complex or not available.

3. Dynamic Port Forwarding

Dynamic port forwarding acts like a proxy server where the SSH client becomes a SOCKS proxy. This allows applications configured to use a proxy (such as a web browser) to securely tunnel traffic through the SSH connection to any destination on the internet.

Dynamic forwarding is initiated with the -D option in SSH:

ssh -D 1080 user@remote-server.com

This command sets up a SOCKS proxy listening on port 1080 on your local machine. You can then configure your web browser or application to use localhost:1080 as a SOCKS proxy. All web traffic will now be routed through the remote SSH server, effectively anonymizing your connection and encrypting the content.

Use cases for dynamic forwarding include:

  • Bypassing geo-restrictions or censorship in certain regions.
  • Protecting sensitive browsing data when on public or insecure networks.
  • Testing website behavior from different IP addresses or locations.

Security Considerations

SSH port forwarding offers strong encryption and tunneling features, but just like any powerful tool, it must be used responsibly. Here are some best practices and considerations to maintain network security:

  • Disable unused port forwards: Always shut down forwarded ports when not in use to minimize attack surfaces.
  • Use strong authentication: Employ key-based authentication and disable password login whenever possible to harden your SSH server.
  • Limit forwarding access: Configure your sshd_config file to permit port forwarding only for trusted users or specific IP addresses.
  • Monitor connections: Regularly audit SSH sessions and forwards using logging tools or by inspecting process activity.

Common Use Cases for SSH Port Forwarding

Whether you are a systems administrator, a developer, or simply someone who wants safer internet access, SSH port forwarding provides a flexible arsenal of techniques for securing and redirecting your traffic. Here are a few real-world scenarios:

  • Accessing a corporate intranet web page from home using local forwarding.
  • Allowing a peer to test your work-in-progress application via remote forwarding.
  • Using dynamic forwarding as a secure proxy on public Wi-Fi networks.

Organizations also use SSH tunnels to manage internal services — such as database administration, mail server management, or remote backups — without exposing these services to the broader internet.

Conclusion

SSH port forwarding is a secure, flexible, and reliable way to tunnel your traffic between systems. Understanding the distinction between local, remote, and dynamic forwarding helps you choose the right tool for the task — whether you’re protecting your data, enabling remote access, or building secure development environments.

As with any security mechanism, the best results come when these features are used with proper access control, regular audits, and a clear understanding of the risks involved. Mastering SSH port forwarding opens up a new realm of what’s possible with secure, remote networking — all under your control.

How to Change Inactivity Timeout in Windows 11 Registry

How to Download Files from URL in Linux Command Line

Contact us

We don't bite so don't be afraid to get in touch! Email is our preferred communication channel and we answer most messages on the same day. Please note that we don't do client projects.

LintedCode LLC
1309 Coffeen Avenue (Ste 1200), Sheridan
Wyoming 82801, USA
EIN: 372034638

info [at] lintedcode.com

@lintedcode

LintedCode