Most Linux users are familiar with the SSH protocol as it allows remote management of any Linux system. It's also commonly used for SFTP to download or upload files. SSH is known as a very secure protocol because it encrypts traffic end to end. But the encrypted tunnels it creates are actually quite versatile and can be used for more than just remote server management or file transfer.

SSH port forwarding can be used to encrypt the traffic between two systems for pretty much any protocol. This is accomplished by creating a secure tunnel and then routing another protocol's traffic through that tunnel. By principle, it works very similarly to a VPN.

In this guide, we'll go over the step by step instructions to show you how to use SSH port forwarding to create a secure tunnel for some other application. As an example, we'll create port forwarding for the telnet protocol, which is usually avoided because of how it transfers data in clear text. This will secure the protocol and make it safe to use.

In this tutorial you will learn:
  • How to use SSH port forwarding
  • How to create a persistent SSH tunnel
Creating an SSH tunnel through port forwarding on Linux
Creating an SSH tunnel through port forwarding on Linux

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software OpenSSH, AutoSSH
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ - requires given linux commands to be executed as a regular non-privileged user

How to use SSH port forwarding


SUBSCRIBE TO NEWSLETTER
Subscribe to our NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


SSH port forwarding works by forwarding traffic from a specific port on your local system to a port on the remote system. The two ports don't have to be the same. As an example, we will forward port 4500 on our local system to port 23 (telnet) on a remote system.

You do not have to do this as a root. Since we are using a port higher than 1024, an ordinary user is able to create this port forward connection. Keep in mind that a tunnel is erected only when the SSH connection is running.

$ ssh -L 4500:127.0.0.1:23 user@linuxconfig.org

Let's dissect what's going on in this command.

  • -L - This option tells SSH that we want to create a tunnel through port forwarding.
  • 4500 - The port on our local system which we will send traffic through.
  • 127.0.0.1 - This is our local system's loopback address.
  • 23 - The remote port that we are trying to connect to.
  • user - The username to login to SSH on the remote server.
  • linuxconfig.org - The remote server IP or domain name.

At this point, every connection which uses port 4500 on the localhost will be redirected to remote port 23.

Creating the SSH tunnel from local port 4500 to remote port 23
Creating the SSH tunnel from local port 4500 to remote port 23

In the screenshot above, we have successfully created a tunnel to the remote server. As you can see, it looks like a typical SSH login. But now, on our local system, we can access the telnet service of the remote system by routing traffic through port 4500.

$ telnet 127.0.0.1 4500


We will open a new terminal and try this on our test system, while leaving the other terminal open so it maintains our SSH tunnel.

Using telnet to connect to a remote server, and routing the traffic through SSH for security
Using telnet to connect to a remote server, and routing the traffic through SSH for security

As you can see, we now have a telnet session opened to the remote server, but it's a secured connection since it is being sent through the existing SSH tunnel that we established in the other terminal.

That's all there is to it. You can use SSH tunnels for any type of traffic. The thing to remember is that you should point your application to your localhost address (127.0.0.1) and the port number that you configure for the SSH tunnel.

How to create persistent SSH tunnels

You may have noticed that for long term SSH tunnels, it's rather inconvenient that it relies on our opened SSH connection. If there's some temporary latency or the SSH terminal simply reaches its timeout, the tunnel gets taken down along with the SSH session.

You can install the autossh utility with your system's package manager if you want to create a tunnel that automatically puts itself back up when it goes down. You'll need to have RSA keys configured for passwordless SSH in order for this method to work.

The syntax for building a persistent tunnel is basically identical to the normal SSH method.

$ autossh -L 4500:127.0.0.1:23 user@linuxconfig.org

Closing Thoughts

In this guide, we saw how to use SSH port forwarding on Linux. This allows a user to build a secure SSH tunnel that can be utilized by other applications and protocols for encrypted connections to remote servers. As an example, we saw how the telnet protocol could be secured through SSH port forwarding. We also learned how to keep SSH tunnels persistent by using the autossh utility.

FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.