tunneling and port forwarding with ssh

local port forwarding

sets up a local port which forwards to a remote box port via intermediary ssh host

ssh -L <local_port>:<target>:<target_port> <user>@<sshd_host>

let’s say outbound 80 is denied, but 22 is allowed, and you have an ssh account the other side of the perimeter

root@kali:~# sshpass -p password ssh -L 8080:www.google.com:80 user@host
root@kali:~# curl localhost:8080 

=> you will see www.google.com

remote port forwarding

takes a port on one host and exposes it as a port on another host, one that you have an ssh account on

the host/port to expose remotely can be local or remote; it merely has to be reachable from the place you run the tunnel from

ssh -R <remote_port>:<target>:<target_port> <user>@<sshd_host>

you could use this for example to expose a service inside a private network to somewhere outside it

root@kali:~$ sshpass -p password ssh -R 80:internal.foo.com:8080 user@bar.com
root@kali:~# curl bar.com:8080

=> you will see internal.example.com

dynamic port forwarding

local port forwarding’s bigger brother

sets up a local port connected to a remote host, where the remote host will forward your traffic anywhere you like, via the magic of SOCKS

ideal for pivoting into unroutable networks or tunneling out of restricted environments

you need a socksifier like proxychains (linux) on the local host

ssh -D <local_port> <user>@<sshd_host>

let’s use a host on the other side of an egress firewall forbidding HTTP/s to browse any website we like

root@kali:~# sshpass -p password ssh -D 9050 user@host

(9050 is the port that proxychains uses by default)

root@kali:~# proxychains curl www.google.com

=> you will see google.com


  • if you don’t have have ssh on windows, you can use putty or plink with the same arguments
  • the examples given were for HTTP traffic, but of course any TCP/UPD protocol works fine

Leave a Reply

Your email address will not be published. Required fields are marked *