SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa.

IT professionals use it for opening backdoors into the internal network from their home machines. If a port is blocked by a Firewall, you can use SSH to tunnel the traffic and by pass the filter. You can also use it as a form of proxy/VPN and get around restrictive, firewalled networks.

We have 2 types of SSH forwarding

  • Remote Forwarding

GatewayPorts needs to be set as (Yes)

  • Local Forwarding

AllowTcpForwarding needs to be set as (Yes)

In this example we will access HTTP using SSH port forwarding

  • Original request to

Local Port forwarding

Local port forwarding allows you to forward traffic on a port of your local computer to the SSH server, which is forwarded to a destination service.

How to

Log in using SSH from your local machine to the remote server

  • Translate any request from 9999 port to port 80 = remote server

-L = Option for local forwarding

9999: = New port to use:address of the remote machine:app original port

  • ssh -L 9999: msfadmin@

Log in normally to SSH, and, then browse, the site using the local ip address and then the new port 9999


Analyzing the traffic

1. Looking at Wireshark we can see packets sent to

We can see traffic from to

2. Looking at TCPdump on the target machine

  • sudo tcpdump -i eth0 port 22

The same traffic, I captured in Wireshark, was captured on the remote host. This time to, it means that the HTTP traffic was sent through SSH and received by the remote server via SSH.

3. Looking at the active communication on both ends we can see the SSH

  • ss -ant

Remote Server

Our host

We can see on both the communication between &

This can work on multiple ports

  • ssh -L 9999: -L 4000: user@

Remote Port forwarding

Remote port forwarding is the opposite, the same connection needs to be made, Local host -> Remote host

  • ssh -R 7777: msfadmin@

-R = Option for remote forwarding

Any request the client makes to port 7777 SSH will take it and translate it to port 80

How to

1. We have started a web service in our local host

  • service apache2 start
  • service apache2 status

Having the web service up & the ssh connection, on the remote server we’ll try to connect to the site using the port 7777 instead of 80

Remote machine

  • wget

Analyzing the traffic

On the local machine we captured the request


This time Wireshark sees traffic from to


We see traffic from to vk9.sec:54504 (DNS

Looking to our local host established connections we see the following ( to

  • ss -ant

Remote server