What Is SSH Local Port Forwarding?

SSH local port forwarding is one of the most powerful — and underused — features of the SSH protocol. It lets you securely forward traffic from a port on your local machine through an encrypted SSH tunnel to a destination host, as if you were sitting on the remote server itself.

Whether you want to access an internal database, a web admin panel, or any service that isn't exposed to the public internet, local port forwarding makes it possible — safely and without VPN software.

How It Works

When you set up a local port forward, your SSH client listens on a local port. Any traffic sent to that local port is encrypted and sent through your SSH connection to the remote server, which then forwards it to the final destination.

The basic command syntax is:

ssh -L [local_port]:[destination_host]:[destination_port] [user]@[ssh_server]

For example, to forward local port 8080 to a web server at 192.168.1.10:80 through your SSH server:

ssh -L 8080:192.168.1.10:80 user@your-ssh-server.com

You can then open http://localhost:8080 in your browser to access the remote web server securely.

Common Use Cases

  • Access a private database: Forward a remote MySQL or PostgreSQL port to your local machine for secure management.
  • Reach internal web apps: Access staging servers or admin dashboards not exposed to the internet.
  • Bypass restrictive firewalls: Tunnel through allowed SSH ports to reach blocked services.
  • Secure legacy protocols: Wrap unencrypted traffic (like VNC or RDP) inside an SSH tunnel.

Step-by-Step Example: Tunneling to a Remote MySQL Database

  1. Confirm your SSH server has access to the MySQL host (e.g., db.internal:3306).
  2. Run: ssh -L 3307:db.internal:3306 user@your-ssh-server.com
  3. Open your database client and connect to localhost:3307.
  4. Your client now securely communicates with the remote database over SSH encryption.

Useful Flags to Know

FlagPurpose
-NDon't execute a remote command (tunnel only, no shell)
-fRun SSH in the background
-CEnable compression (useful on slow links)
-vVerbose mode for debugging

Combining these, a clean background tunnel looks like:

ssh -fNL 8080:192.168.1.10:80 user@your-ssh-server.com

Security Considerations

  • Use SSH key authentication instead of passwords wherever possible.
  • Restrict the AllowTcpForwarding option in sshd_config to limit forwarding on servers where it shouldn't be used.
  • Bind the local listener to 127.0.0.1 (the default) rather than 0.0.0.0 to avoid exposing the port to your entire local network.

Conclusion

SSH local port forwarding is an elegant, built-in solution for securely accessing remote services without complex VPN setups. Once you understand the syntax, it becomes an indispensable tool in any developer or sysadmin's toolkit. Start with a simple database tunnel and you'll quickly discover dozens of other applications.