Notes about SSH port forwarding

Local Forwarding

Local forwarding is used to forward a specific port on the local machine to a specific port on the remote server. This can be useful when a service on the remote server is accessible from the local machine only through a Bastion Host because of a firewall:

ssh -L local-port:remote-private-service.example.com:remote-private-port bastion-host-user@bastion-host.example.com

For example, to access via local port 8080 to the remote port service 80 you can use the command:

ssh -L 8080:remote-private-service.example.com:80 bastion-host-user@bastion-host.example.com

Remote Forwarding

Remote forwarding is used to forward a specific port on the remote server to a specific port on the local machine. This can be useful when a service on the local machine is not accessible from the remote server due to a firewall. The command to use:

ssh -L remote-private-port:local-server:local-port user@remote-host.example.com

For example, remote users could access a service running on a local server this way:

ssh -R 80:localhost:8080 user@remote-host.example.com

Some more useful SSH options

• -f Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background.
  This implies -n. [...] If the ExitOnForwardFailure configuration option is set to "yes", then a client started with -f will wait for all remote port forwards to be successfully established before placing itself in the background. Refer to the description of ForkAfterAuthentication in ssh_config(5) for details.

• -N Do not execute a remote command. This is useful for just forwarding ports. Refer to the description of SessionType in ssh_config(5) for details.