In this tutorial Guide we will learn about
- SSH Port Forwarding
- Different Types of Forwarding
- Practical examples to create SSH Tunnel and access HTTP web server in Linux
- Verify SSH Tunnel using
tcpdump
- Close SSH Tunnel
What is SSH Port Forwarding
- SSH port forwarding or tunneling allows you to forward otherwise insecure TCP traffic inside a secure SSH tunnel from local to destination server.
- Protocols such as FTP, POP3, SMTP, HTTP, TELNET, and others can all be forwarded inside this SSH tunnel
- This will provide increased security features such as encryption and authentication that may not otherwise be supported.
- You must create a new SSH connection to establish the tunneling, you can not use any existing SSH connection
Type of SSH Port Forwarding?
There are three types of port forwarding mechanisms between local and remote host:
- Local Port Forwarding: Create a local port that is connected to a remote service.
- Remote Port Forwarding: Forward a port on a remote server on the Internet to a local port
- Dynamic Port Forwarding: A SOCKS client connects via TCP, and indicates via the protocol the remote socket it wants to reach
1: Local Port Forwarding
- This allows you to forward a port from your localhost server (
ssh_client
) to a port on target remote server (ssh_server
) - The basic syntax would be
ssh -L sourceHost:sourcePort:forwardToHost:onPort connectToHost
- Here the first field
sourceHost
would be the localhost using on which you will enable the Port Forward - The second field is
sourcePort
using which you will connect to theremoteHost
andremotePort
- The third field is the
forwardToHost
i.e. the server to which you want to forward the request. You can also put localhost in this field (as it is the localhost ofremoteHost
) - The fourth field is the
onPort
section i.e. the port to which the request has to be forwarded - Lastly provide the server (
connectToHost
) to which you want to create the secure SSH Tunnel
From the man page of SSH:
-f Requests ssh to go to background just before command execution. -N Do not execute a remote command. This is useful for just forwarding ports -L local_socket:remote_socket Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. This works by allocating a socket to listen to either a TCP port on the local side, optionally bound to the specified bind_address, or to a Unix socket. Whenever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a connection is made to either host port hostport, or the Unix socket remote_socket, from the remote machine.
1.1: Example-1: Setup Local Port Forwarding with two servers
- This is the basic and most used Local port Forwarding where we forward the traffic on a port
5555
from localhost (server1
) to a port80
on target hostserver3
- In this example I have a web server running on
port 80
onserver3
. - I will configure port
5555
to be used to forward the traffic from localhost (server1
) toserver3
onport 80
in secure SSH Tunnel
1.1.1: Create SSH tunnel for HTTP server
Use SSH client on server1
(our localhost) to create a secure tunnel towards server3
. The -L
option specifies local forwarding, in which the TCP client is on the local machine with the SSH client.
[root@server1 ~]# ssh -f -N -L localhost:5555:server3:80 root@server3
ssh -f -N -L 5555:localhost:80 root@server3
to establish the SSH tunnel but that would confuse the beginners so we will keep it by the rules. Ideally here third field localhost
is considered to be called on server3
so we can use eitherMake sure the SSH process is still active:
[root@server1 ~]# ps -ef | grep ssh root 1170 1 0 10:20 ? 00:00:00 /usr/sbin/sshd -D root 1426 1170 0 10:21 ? 00:00:01 sshd: root@pts/1 root 2242 1170 0 12:31 ? 00:00:00 sshd: root@pts/0 root 2384 1 0 12:53 ? 00:00:00 ssh -f -N -L localhost:5555:server3:80 root@server3 root 2386 1430 0 12:53 pts/1 00:00:00 grep --color=auto ssh
1.1.2: Verify the SSH Tunnel
Next we will try to connect to our apache server on server3
using curl
and curl
is able to connect to server3:80
using the server1:5555
[root@server1 ~]# curl http://localhost:5555
My test site
More information can be collected from tcpdump
which is running on server3
. This shows that the curl request was served using SSH secure Tunnel even when the requested port was 80
[root@server3 ~]# tcpdump -i enp0s8 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 12:53:28.032073 IP server1.53464 > server3.ssh: Flags [P.], seq 29797146:29797230, ack 547702480, win 329, options [nop,no,TS val 8905005 ecr 8902932], length 84 12:53:28.032108 IP server3.ssh > server1.53464: Flags [.], ack 84, win 295, options [nop,nop,TS val 8909252 ecr 8905005], ength 0 12:53:28.032430 IP server3.ssh > server1.53464: Flags [P.], seq 1:45, ack 84, win 295, options [nop,nop,TS val 8909253 ecr8905005], length 44 12:53:28.032854 IP server1.53464 > server3.ssh: Flags [P.], seq 84:200, ack 45, win 329, options [nop,nop,TS val 8905006 er 8909253], length 116 12:53:28.033570 IP server3.ssh > server1.53464: Flags [P.], seq 45:337, ack 200, win 295, options [nop,nop,TS val 8909254 cr 8905006], length 292 12:53:28.044939 IP server1.53464 > server3.ssh: Flags [P.], seq 200:236, ack 337, win 349, options [nop,nop,TS val 8905018ecr 8909254], length 36 12:53:28.045130 IP server3.ssh > server1.53464: Flags [P.], seq 337:409, ack 236, win 295, options [nop,nop,TS val 8909265ecr 8905018], length 72 12:53:28.045599 IP server1.53464 > server3.ssh: Flags [P.], seq 236:272, ack 409, win 349, options [nop,nop,TS val 8905019ecr 8909265], length 36 12:53:28.085911 IP server3.ssh > server1.53464: Flags [.], ack 272, win 295, options [nop,nop,TS val 8909306 ecr 8905019],length 0
1.1.3: Close Local Forwarding Tunnel
To close the secure SSH Tunnel we must kill the SSH process which was created to forward the PORT.
[root@server1 ~]# kill -9 2384
1.2: Example-2: Setup Local Port Forwarding with three servers
In this example we will have three servers. Here server1
does not has direct access to server3
so it will use server1
→ server2
to connect to the webserver on server3
.
We will forward the port request from server1:5555
to server2
using secure SSH Tunnel which will further connect server3:80
to fetch the request.
1.2.1: Create SSH Tunnel
Create Local Forwarding port on your localhost (server1
) using SSH client. You can also ignore mentioning localhost in this command as that is the default behaviour, I have written here just for the sake of explanation
[root@server1 ~]# ssh -f -N -L localhost:5555:server3:80 root@server2
Make sure the SSH process is active which means our tunnel is created
[root@server1 ~]# ps -ef | grep ssh root 1170 1 0 10:20 ? 00:00:00 /usr/sbin/sshd -D root 1426 1170 0 10:21 ? 00:00:01 sshd: root@pts/1 root 2242 1170 0 12:31 ? 00:00:00 sshd: root@pts/0 root 2380 1 0 12:51 ? 00:00:00 ssh -f -N -L localhost:5555:server3:80 root@server2 root 2382 1430 0 12:51 pts/1 00:00:00 grep --color=auto ssh
1.2.2: Verify the SSH Tunnel
We will use curl
to connect to our webserver on server3:80
from server1
using localhost:5555
. So the curl tool was successfully able to fetch the webserver's index page.
[root@server1 ~]# curl http://localhost:5555
My test site
You can check the tcpdump capture on server3
This shows the secure tunnel communication between server1
and server2
and further server2
will connect to server3
to connect to the webserver.
[root@server3 tmp]# tcpdump -i enp0s8 port 22 or 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 12:59:04.138042 IP server1.60638 > server2.ssh: Flags [P.], seq 2758738467:2758738551, ack 379740010, win 289, options [nop,nop,TS val 9241111 ecr 5849726], length 84 12:59:04.138269 IP server2.ssh > server1.60638: Flags [.], ack 84, win 273, options [nop,nop,TS val 5891823 ecr 9241111], length 0 12:59:04.144056 IP server2.53650 > server3.http: Flags [S], seq 2208701817, win 29200, options [mss 1460,sackOK,TS val 5891829 ecr 0,nop,wscale 7], length 0 12:59:04.144073 IP server3.http > server2.53650: Flags [S.], seq 2805768777, ack 2208701818, win 28960, options [mss 1460,sackOK,TS val 9245364 ecr 5891829,nop,wscale 7], length 0 12:59:04.148666 IP server2.53650 > server3.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 5891833 ecr 9245364], length 0 12:59:04.148672 IP server2.ssh > server1.60638: Flags [P.], seq 1:45, ack 84, win 273, options [nop,nop,TS val 5891834 ecr 9241111], length 44 12:59:04.148790 IP server1.60638 > server2.ssh: Flags [.], ack 45, win 289, options [nop,nop,TS val 9241122 ecr 5891834], length 0 12:59:04.148917 IP server1.60638 > server2.ssh: Flags [P.], seq 84:200, ack 45, win 289, options [nop,nop,TS val 9241122 ecr 5891834], length 116 12:59:04.149100 IP server2.53650 > server3.http: Flags [P.], seq 1:79, ack 1, win 229, options [nop,nop,TS val 5891834 ecr 9245364], length 78: HTTP: GET / HTTP/1.1 12:59:04.149118 IP server3.http > server2.53650: Flags [.], ack 79, win 227, options [nop,nop,TS val 9245370 ecr 5891834], length 0 12:59:04.149546 IP server3.http > server2.53650: Flags [P.], seq 1:254, ack 79, win 227, options [nop,nop,TS val 9245370 ecr 5891834], length 253: HTTP: HTTP/1.1 200 OK
1.2.3: Close Local forwarding Tunnel
To close the secure SSH Tunnel, go ahead and kill the respective SSH process which we created earlier:
[root@server1 ~]# kill -9 2380
1.3: Example-3: Setup Local Port Forwarding with Gateway Ports
- In OpenSSH, by default, only the host running the SSH client can connect to locally forwarded ports.
- This is because ssh listens only on the machine’s loopback interface for connections to the forwarded port; i.e., it binds the socket (
localhost,5555
), a.k.a. (127.0.0.1,5555
), and not (server1,8080
). - So, in the preceding example, only
server1
can use the forwarding - However, ssh for OpenSSH has a command-line option,
-g
, that disables this restriction, permitting any host to connect to locally forwarded ports: - The client configuration (
ssh_config
) keywordGatewayPorts
also controls this feature; the default value is no, whereas yes does the same thing as-g
1.3.1: Create SSH Tunnel with Gateway Port
We will also use -g
with our existing SSH command to create the SSH Tunnel. Also if you observe, I have removed "locahost
" and have used ":5555
" which signifies all the host can be matched
[root@server1 ~]# ssh -g -f -N -L :5555:server3:80 root@server3
Make sure the SSH process is still active for the respective command:
[root@server1 ~]# ps -ef | grep ssh root 1170 1 0 10:20 ? 00:00:00 /usr/sbin/sshd -D root 1426 1170 0 10:21 ? 00:00:01 sshd: root@pts/1 root 2242 1170 0 12:31 ? 00:00:00 sshd: root@pts/0 root 2423 1 0 13:01 ? 00:00:00 ssh -g -f -N -L :5555:server3:80 root@server3 root 2425 1430 0 13:03 pts/1 00:00:00 grep --color=auto ssh
1.3.2: Verify the Local Port Forwarding
We will use curl
command from server2
this time to check if it can connect to server3
using port 5555
from the secure tunnel
[root@server2 ~]# curl http://server1:5555
My test site
So the server2
was successfully able to connect to server3:80
and also to the webserver using forwarding port server1:5555
The tcpdump output from server3
shows that the connection was established between server1
and server3
using secure tunnel to get the HTTP request. You can extend the tcpdump
to search for host server2
to get packet details from respective host. Since the tunnel is between server1
and server3
only, we do not see server2
related details here.
[root@server3 tmp]# tcpdump -i enp0s8 port 22 or 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 13:01:40.344612 IP server1.53480 > server3.ssh: Flags [P.], seq 2488865116:2488865208, ack 1385274191, win 309, options [nop,nop,TS val 9397318 ecr 9390459], length 92 13:01:40.344639 IP server3.ssh > server1.53480: Flags [.], ack 92, win 295, options [nop,nop,TS val 9401565 ecr 9397318], length 0 13:01:40.346140 IP server3.ssh > server1.53480: Flags [P.], seq 1:45, ack 92, win 295, options [nop,nop,TS val 9401566 ecr 9397318], length 44 13:01:40.346422 IP server1.53480 > server3.ssh: Flags [.], ack 45, win 309, options [nop,nop,TS val 9397320 ecr 9401566], length 0 13:01:40.346507 IP server1.53480 > server3.ssh: Flags [P.], seq 92:208, ack 45, win 309, options [nop,nop,TS val 9397320 ecr 9401566], length 116 13:01:40.347088 IP server3.ssh > server1.53480: Flags [P.], seq 45:337, ack 208, win 295, options [nop,nop,TS val 9401567 ecr 9397320], length 292 13:01:40.347943 IP server1.53480 > server3.ssh: Flags [P.], seq 208:244, ack 337, win 329, options [nop,nop,TS val 9397321 ecr 9401567], length 36 13:01:40.348239 IP server3.ssh > server1.53480: Flags [P.], seq 337:409, ack 244, win 295, options [nop,nop,TS val 9401569 ecr 9397321], length 72 13:01:40.348453 IP server1.53480 > server3.ssh: Flags [P.], seq 244:280, ack 409, win 329, options [nop,nop,TS val 9397322 ecr 9401569], length 36 13:01:40.389600 IP server3.ssh > server1.53480: Flags [.], ack 280, win 295, options [nop,nop,TS val 9401610 ecr 9397322], length 0
1.3.3: Close SSH Tunnel
Close the SSH Tunnel To close the Local forwarding port, you can go ahead and kill the SSH process which we created earlier to start the tunnel from server1
[root@server1 ~]# kill -9 2423
2: Remote port forwarding
- A remotely forwarded port is just like a local one, but the directions are reversed
- This time the TCP client is remote, its server is local, and a forwarded connection is initiated from the remote machine.
- Remote port forwarding is less common and can be used to connect to a local port that cannot be reached from the internet, to a port on the server that is available on the internet
- The
-R
option specifies remote forwarding. It is followed by three values, separated by colons as before but interpreted slightly differently.
From the man page of SSH
-R [bind_address:]port:host:hostport
-R [bind_address:]port:local_socket
-R remote_socket:host:hostport
-R remote_socket:local_socket
Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be
forwarded to the given host and port, or Unix socket, on the local side. This works by allocating a
socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is
made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection
is made to either host port hostport, or local_socket, from the local machine.
The syntax to perform Reverse Port Forwarding would be ssh -R bindAddress:remotePort:forwardToHost:onPort connectToHost
- The first field is the bind address on localhost. By default, TCP listening sockets on the server will be bound to the loopback interface only
- The second field is the
remotePort
which which will be used to connect to the destination port i.e. 80. - The third field is for
forwardToHost
i.e. the hostname or IP of the server to which you wish to connect as part of forwarding - The fourth field is the
onPort
to which the forwarding should happen on the "forwardToHost
" - Lastly provide the server details towards which the SSH Tunnel should be created
2.1: Create SSH Tunnel for Remote Port Forwarding
I have a web server with apache on port 80 running on server3
. Now in the earlier examples:
with Local Port Forwarding we forward request from server1:5555
to server3:80
Now we will do the opposite i.e.
with Remote Port Forwarding we forward request from server3:80
to server1:5555
Create SSH Tunnel on server3
[root@server3 ~]# ssh -f -N -R localhost:5555:server3:80 root@server1
Make sure the SSH process with the above command is still running
[root@server3 ~]# ps -ef | grep ssh root 5711 1 0 10:22 ? 00:00:01 sshd: root@pts/0 root 9500 1 0 11:10 ? 00:00:00 /usr/sbin/sshd -D root 11151 9500 0 12:09 ? 00:00:00 sshd: root@notty root 13638 1 0 15:46 ? 00:00:00 ssh -f -N -R 5555:server3:80 root@server1 root 13642 5799 0 15:46 pts/0 00:00:00 grep --color=auto ssh
2.2: Verify SSH Tunnel setup
Verify SSH Tunnel Next we will use curl from server1
to connect to server3 using port 5555
[root@server1 ~]# curl http://localhost:5555
My test site
The connection was successful
With tcpdump running on server3
we can check the secure SSH Tunnel was used for the curl request from server1
to server3
[root@server3 ~]# tcpdump -i enp0s8 port 22 or 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 15:48:05.749405 IP server1.ssh > server3.48228: Flags [P.], seq 3747952798:3747952890, ack 3457506699, win 258, options [nop,nop,TS val 19382722 ecr 19296856], length 92 15:48:05.749429 IP server3.48228 > server1.ssh: Flags [.], ack 92, win 291, options [nop,nop,TS val 19386970 ecr 19382722], length 0 15:48:05.750020 IP server3.48228 > server1.ssh: Flags [P.], seq 1:45, ack 92, win 291, options [nop,nop,TS val 19386970 ecr 19382722], length 44 15:48:05.750314 IP server1.ssh > server3.48228: Flags [.], ack 45, win 258, options [nop,nop,TS val 19382723 ecr 19386970], length 0 15:48:05.750506 IP server1.ssh > server3.48228: Flags [P.], seq 92:208, ack 45, win 258, options [nop,nop,TS val 19382724 ecr 19386970], length 116 15:48:05.751491 IP server3.48228 > server1.ssh: Flags [P.], seq 45:337, ack 208, win 291, options [nop,nop,TS val 19386972 ecr 19382724], length 292 15:48:05.752605 IP server1.ssh > server3.48228: Flags [P.], seq 208:244, ack 337, win 281, options [nop,nop,TS val 19382726 ecr 19386972], length 36 15:48:05.752926 IP server3.48228 > server1.ssh: Flags [P.], seq 337:409, ack 244, win 291, options [nop,nop,TS val 19386973 ecr 19382726], length 72 15:48:05.753338 IP server1.ssh > server3.48228: Flags [P.], seq 244:280, ack 409, win 281, options [nop,nop,TS val 19382727 ecr 19386973], length 36 15:48:05.793709 IP server3.48228 > server1.ssh: Flags [.], ack 280, win 291, options [nop,nop,TS val 19387014 ecr 19382727], length 0
2.3: Close SSH Tunnel
To close the SSH Tunnel we must kill the SSH process which is running on our server3
[root@server3 ~]# ps -ef | grep 5555 root 13638 1 0 15:46 ? 00:00:00 ssh -f -N -R 5555:server3:80 root@server1
The PID mapped to the SSH Tunnel is 13638
, we will use kill with -9
interrupt signal for the respective PID
[root@server3 ~]# kill -9 13638
3: Dynamic Port Forwarding
- Let's say we need a quick way to exit our network bypassing the firewall settings.
- Our
server1
normally has access to HTTP server running onserver3
- But due to recent firewall policy we can reach
server3
host, to access the web server - To overcome this problem we can use Dynamic Port Forwarding or SOCKS Forwarding SOCKS is a small protocol, defined in RFC-1928.
- A SOCKS client connects via TCP, and indicates via the protocol the remote socket it wants to reach; the SOCKS server makes the connection, then gets out of the way, transparently passing data back and forth.
- Thereafter, it is just as if the client had connected directly to the remote socket.
From the man page of SSH
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to lis‐
ten to port on the local side, optionally bound to the specified bind_address. Whenever a connection is
made to this port, the connection is forwarded over the secure channel, and the application protocol is
then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 pro‐
tocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configuration file.
The syntax to use Dynamic Port Forwarding would be:
ssh -f -N -D [bind_address:]port connectToHost
- Here in the first field there is no need to explicitly mention the
bind_address
, just provide the local port to be forwarded in the second field - That’s because the
destination
is determined dynamically, and can be different for each connection. - Replace
connectToHost
with the server towards which you want to create the secure tunnel
3.1: Create SSH Tunnel
Before we create SSH Tunnel, let me show you server1
was by default allowed to connect to apache server on server3
using port 80
[root@server1 ~]# curl http://server3:80
My test site
But then we introduce iptables rule to block port 80 in the OUTPUT
chain on server1
[root@server1 ~]# iptables -A OUTPUT -p tcp --dport 80 -j DROP
Now if we try to access the apache server from server3
, curl will time out while trying to establish the connection
[root@server1 ~]# curl --connect-timeout 5 http://server3:80
curl: (28) Connection timed out after 5000 milliseconds
So we create Dynamic Port Forwarding SSH Tunnel from server1
to server3
using a random port 8080
. You can choose any other port of your choice.
[root@server1 ~]# ssh -f -N -D 8080 root@server3
Verify the SSH process from this command
[root@server1 ~]# ps -ef | grep ssh root 1170 1 0 10:20 ? 00:00:00 /usr/sbin/sshd -D root 1426 1170 0 10:21 ? 00:00:01 sshd: root@pts/1 root 2242 1170 0 12:31 ? 00:00:00 sshd: root@pts/0 root 2611 1 0 16:24 ? 00:00:00 ssh -f -N -D 8080 root@server3 root 2613 1430 0 16:25 pts/1 00:00:00 grep --color=auto ssh
3.2: Verify SSH Tunnel setup
Verify the SSH Tunnel setup Now we will try to use SOCKS proxy to connect to the apache server from server3:80 using server1:8080
[root@server1 ~]# curl --proxy socks5h://localhost:8080 http://server3:80 My test site
The curl connection was successful with SOCKS proxy
The tcpdump output on server3
shows that the curl connection happened within the secure SSH Tunnel over port 22
[root@server3 ~]# tcpdump -i enp0s8 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 16:27:04.659233 IP server1.53544 > server3.ssh: Flags [P.], seq 2051346850:2051346934, ack 679515067, win 349, options [nop,nop,TS val 21721632 ecr 21664654], length 84 16:27:04.659249 IP server3.ssh > server1.53544: Flags [.], ack 84, win 295, options [nop,nop,TS val 21725880 ecr 21721632], length 0 16:27:04.659651 IP server3.ssh > server1.53544: Flags [P.], seq 1:45, ack 84, win 295, options [nop,nop,TS val 21725880 ecr 21721632], length 44 16:27:04.660067 IP server1.53544 > server3.ssh: Flags [P.], seq 84:192, ack 45, win 349, options [nop,nop,TS val 21721633 ecr 21725880], length 108 16:27:04.660454 IP server3.ssh > server1.53544: Flags [P.], seq 45:337, ack 192, win 295, options [nop,nop,TS val 21725881 ecr 21721633], length 292 16:27:04.661356 IP server1.53544 > server3.ssh: Flags [P.], seq 192:228, ack 337, win 369, options [nop,nop,TS val 21721634 ecr 21725881], length 36 16:27:04.661590 IP server3.ssh > server1.53544: Flags [P.], seq 337:409, ack 228, win 295, options [nop,nop,TS val 21725882 ecr 21721634], length 72 16:27:04.661957 IP server1.53544 > server3.ssh: Flags [P.], seq 228:264, ack 409, win 369, options [nop,nop,TS val 21721635 ecr 21725882], length 36 16:27:04.702875 IP server3.ssh > server1.53544: Flags [.], ack 264, win 295, options [nop,nop,TS val 21725923 ecr 21721635], length 0
You can also configure your Mozilla Firefox to use SOCKS Proxy by modifying the Proxy configuration under Network Settings
3.3: Close SSH Tunnel
To close the Dynamic Port Forwarding SSH Tunnel we must kill the SSH process which we created earlier on server1
[root@server1 ~]# ps -ef | grep ssh root 2611 1 0 16:24 ? 00:00:00 ssh -f -N -D 8080 root@server3 root 2613 1430 0 16:25 pts/1 00:00:00 grep --color=auto ssh
In this case, kill the process PID 2611 to close the tunnel
[root@server1 ~]# kill -9 2611
Conclusion
Understand SSH Port Forwarding concept can be little tricky for beginners and it may take some time to be able to use it in real time environments. The examples which I have used in this tutorial to explain different types of forwarding are based on private network whereas these are used also in public network with network firewalls. But the end usage would be same so you can learn regarding the usage from these examples.
In this tutorial we learned about different types of SSH port Forwarding, I intentionally didn't explained other scenarios in Remote Port Forwarding similar to Local as that would just extend the article while the usage remains same for both.
You can also try to setup forwarding in your environment and let me know your suggestions or feedback using the comment section from this article.
References
I have used below external references for this tutorial guide
Proxies and Tunnels: Mastering Bash
Ubuntu Linux for Dummies
SSH The Secure Shell
Next Generation SSH2 Implementation