3 minutes(648 words)simple

SSH Port Forwarding: Access Remote Services Securely

Quick Navigation

Difficulty: 🟡 Intermediate
Estimated Time: 15 minutes
Prerequisites: [SSH access to remote server, Basic command line knowledge]

What You'll Learn

This section covers essential SSH port forwarding concepts and tools:

  • Local Port Forwarding - Redirect local traffic to remote services
  • SSH Tunneling - Secure encrypted connections to private networks
  • Configuration Management - Automate and persist tunnel setups
  • Background Processes - Run tunnels without blocking terminals

Prerequisites

  • SSH access to a remote server
  • Basic command line knowledge
  • Understanding of ports and networking concepts

Introduction

You've just deployed a service on a remote server — a web app on port 8000, a database tucked away behind a private network, or maybe a staging environment that only exists on internal infrastructure. Now you want to test it, connect to it, or monitor it from your local machine, but direct access is blocked. SSH local port forwarding solves this by allowing you to securely tunnel traffic from your local machine to remote services through an encrypted SSH connection.

Understanding SSH Port Forwarding

SSH port forwarding (or tunneling) allows you to redirect traffic from your local machine to a remote server or service through an encrypted SSH connection.

Syntax Overview:

ssh -L [bind_address:]local_port:remote_host:remote_port user@ssh_server

Key Components:

  • local_port: Port on your local machine (e.g., 8000)
  • remote_host:remote_port: Destination on the remote server/network
  • user@ssh_server: SSH credentials to connect to the jump host

Use Case 1: Redirect to the Same Remote Server

You want to connect to a service on the remote server itself — for instance, a development server running on port 8000:

ssh -L 8000:localhost:8000 user@remote-server.com

What this does:

  1. You open http://localhost:8000 on your machine
  2. SSH encrypts and forwards the traffic to localhost:8000 on the remote server
  3. You access the remote service as if it were local

Use Case 2: Access a Private Host on the Remote Network

Suppose you need to access a PostgreSQL database located on a private host (db.internal) within the remote network:

ssh -L 8000:db.internal:5432 user@remote-server.com

You can now connect locally using:

psql -h localhost -p 8000 -U your_user your_db

The database appears to be running locally, even though it's deep in a secured network.

Optional: Expose the Port to Other Devices

By default, your forwarded port is only accessible on localhost. To make it available to other machines on your local network (not recommended unless required), bind it to all interfaces:

ssh -L 0.0.0.0:8000:localhost:8000 user@remote-server.com

⚠️ Note: This depends on the SSH server configuration allowing forwarding (AllowTcpForwarding yes).

Key Considerations

  • The SSH server must have AllowTcpForwarding yes enabled
  • The local port (8000) must not be in use
  • If your SSH session ends, the tunnel will close
  • For persistent setups, use configuration files or background processes

Automate with ~/.ssh/config

Avoid repeating the same command every time. Add this to your SSH config:

Host my-tunnel
    HostName remote-server.com
    User user
    LocalForward 8000 localhost:8000

Then start the tunnel simply with:

ssh my-tunnel

Run the Tunnel in the Background

To keep the tunnel running without locking your terminal:

ssh -f -N -L 8000:localhost:8000 user@remote-server.com

Flags explained:

  • -f: Runs SSH in background mode
  • -N: No remote command is executed (just the tunnel)

Conclusion

Whether you're accessing a web app, API, or internal database, SSH port forwarding gives you local access to remote services — securely, efficiently, and without exposing public ports. It's a must-have for any developer, DevOps engineer, or system admin working across environments.

Tags: #SSH #Networking #Security #PortForwarding #DevOps