Overview

利用SSH端口转发，可以方便实现各类翻墙打洞需求。本文详细介绍SSH端口转发的三种用法，以及其所适用的场景。

Environment

• L0: localhost behind NAT, with lan ip 192.168.0.100
• L1: host within same lan of L0, with lan ip 192.168.0.101
• R0: remote host (cloud vps) with private ip 10.0.0.100
• R1: remote host (cloud vps) with private ip 10.0.0.101

L0 can ssh (default port 22) to R0 by its public domain name r0.example.com with public key, like this:

1

ssh user@r0.example.com

Forwarding local host (-L)

Usage

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

SSH -L is good for exposing a remote port locally.

增强本地主机的访问远程主机（局域网）能力。

Example

1. Forward L0 to R0

The mongod has the http web service, listening only on localhost:28017. With the following command:

1

ssh -NL 28018:localhost:28017 user@r0.example.com

Then the remote service on 28017 will be accessed on L0’s 28018 port from L0.

2. Forward L0 to R1

Suggest that there’s an API server on R1, listening only on port 10030 of lan (10.0.0.0/24). Because R0 can access R1’s private address of the same lan, so the following command will make R1’s service of port 10030 accessible from L0’s local port 10031.

1

ssh -NL 10031:10.0.0.101:10030 user@r0.example.com

Note, use R1’s private ip 10.0.0.101 instead of localhost.

3. Forward L1 to R1

Say R0 can access R1 through ssh command: ssh secret-user@10.0.0.101, then the following command

1

ssh -NL 192.168.0.100:2222:10.0.0.101:22 user@r0.example.com

will forward L0’s port 2222 to the R1’s port 22, and even make L0 listening within the lan. So from L1, we can access to R1 by this command:

1

ssh -p 2222 secret-user@192.168.0.100

Awesome!

Forwarding remote host (-R)

Usage

Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.

So the SSH -R can be useful when accessing a box hidden behind a NAT.

增强远端主机的访问本地主机（局域网）的能力。

Example

1. Forward R0 to L0

1

ssh -NR 2222:localhost:22 user@r0.example.com

2. Forward R0 to L1

1

ssh -NR 2222:192.168.0.101:22 user@r0.example.com

3. Forward R1 to L1

Unlike local forwarding, remote forwarding from R1 to L1 is not permitted by default due to security policy, unless we change sshd_config file on R0, with the additional config line:

1

GatewayPorts = yes

then the ultimate tunnel created, with which we can access L1’s port on machine R1. Cool?

Dynamic forwarding (-D)

Usage

Specifies a local “dynamic” application-level port forwarding...and ssh will act as a SOCKS server.

Example

1

ssh -ND 1080 user@r0.example.com

Then, there exists a SOCKS server on L0, and we can use it as a proxy server.

1

curl -x socks5h://localhost:1080 https://www.google.com