Skip to Content


There are three type of SSH Tunnel forwarding:

  • Local forwarding
  • Remote forwarding
  • Dynamic forwarding (we do not cover it here)

Local forwarding

Imagine you’re on a private network which doesn’t allow connections to a specific server. Let’s say you’re at work and is being blocked, can only access from the private network.

To get around this we can create a tunnel through a server which isn’t on our network and thus can access

    ssh -L

The key here is -L which says we’re doing local port forwarding. Then it says we’re forwarding our local port 9000 to, which is the default port for HTTP. Now open your browser and go to http://localhost:9000 you will be able to access the private site at inside the private network!

The great thing is the above connection is encrypted. so nobody can see what you are visiting.

Sometime you need to access a db behind a firewall, let’s say you need to access a MySQL db (private-db:3306) behind a firewall, and we have user on, which can access private-db:3306 directly, then we can do this:

    ssh -L 3308:private-db:3306

So you can use any db tool to connect to local 3308 port which will be forwarded to private-db:3306

Remote forwarding

Say that you’re developing an app on your local machine, the app listen on port 8000 and you’d like to show it to a friend. Unfortunately your ISP didn’t provide you with a public IP address, so it’s not possible to connect to your machine directly via the internet.

Sometimes this can be solved by configuring NAT (Network Address Translation) on your router, but this doesn’t always work, and it requires you to change the configuration on your router, which isn’t always possible.

To fix this problem you need to have server, which has publicly IP and you have SSH access on it. then you can do this:

    ssh -R 9080: 

In this example, you forward connection from to your local, so if your friend can access, he is fine to access your app on your localhost:8000, which is great!

Please note remember to enable the option in /etc/ssh/sshd_config, by default this is disabled on Centos7:

    GatewayPorts yes

Make sure you add it only once and restart SSH.

    sudo service ssh restart


You might have noticed that every time we create a tunnel you also SSH into the server and get a shell. This isn’t usually necessary, as you’re just trying to create a tunnel. To avoid this we can run SSH with the -nNT flags, such as the following: (which will cause SSH to not allocate a tty and only do the port forwarding).

    ssh -nNT -L

Read more in “man ssh”, and I enjoy those in my daily life.