How to disable SSH TCP forwarding

Disabling SSH TCP forwarding prevents users from tunneling arbitrary TCP traffic through SSH sessions, closing off an easy way to bypass firewalls, egress controls, and network monitoring. Restricting forwarding is especially useful on bastion hosts, jump servers, and multi-user systems where shell access is allowed but network paths must remain tightly controlled.

In OpenSSH, TCP forwarding behavior is controlled on the server by directives in /etc/ssh/sshd_config such as AllowTcpForwarding and PermitOpen. These directives determine whether local and remote port forwarding are permitted at all, and optionally which destination host and port pairs can be reached through those tunnels. Settings can be applied globally or refined in Match blocks for specific users, groups, or source addresses.

Changing forwarding policy affects every SSH session handled by sshd and can break workflows that rely on tunnels, including database access, SOCKS proxies, or custom port mappings. Configuration changes should therefore be staged with a fallback access path, validated with sshd -t before restarting the service, and verified from a separate client to confirm that forwarding is truly blocked without locking out required access.

Related: How to forward local port in SSH
Related: How to forward a remote port in SSH
Related: How to apply conditional SSH settings

Steps to disable SSH TCP forwarding:

  1. Open a terminal on the target Linux server using an account with sudo privileges. 
    $ whoami
user
  2. Create a backup of the current /etc/ssh/sshd_config file for rollback. 
    $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
$ ls -l /etc/ssh/sshd_config*
-rw-r--r-- 1 root root 3554 Jan 10 12:26 /etc/ssh/sshd_config
-rw-r--r-- 1 root root 3554 Jan 10 20:31 /etc/ssh/sshd_config.backup
 
/etc/ssh/sshd_config.d:
total 0

    The backup copy allows quick restoration if a configuration error prevents sshd from starting.

  3. Open the SSH daemon configuration file in a text editor such as nano. 
    $ sudo nano /etc/ssh/sshd_config

    Incorrect syntax in /etc/ssh/sshd_config can stop sshd from starting and block new SSH logins until the file is fixed.

  4. Locate any existing AllowTcpForwarding directive and change its value to no, or add a new line in the global (non-Match) section. 
    /etc/ssh/sshd_config
AllowTcpForwarding no

    AllowTcpForwarding no disables both local and remote TCP forwarding for sessions that use the global configuration unless a later Match block overrides it.

  5. Optionally enforce that no forwarding destinations are allowed by setting PermitOpen to none. 
    /etc/ssh/sshd_config
PermitOpen none

    PermitOpen limits which host:port pairs may be used for forwarding; setting it to none blocks all TCP forwarding destinations for sessions that use this stanza.

  6. Optionally enable TCP forwarding only for specific accounts by combining the global disable with a Match User block that re-enables forwarding for selected users. 
    /etc/ssh/sshd_config
AllowTcpForwarding no
PermitOpen none

Match User tunneluser
    AllowTcpForwarding yes
    PermitOpen localhost:5432

    Ensuring forwarding is enabled only where strictly required reduces the attack surface of bastion hosts and shared administrative accounts.

  7. Save the changes in the editor and close the file so that /etc/ssh/sshd_config on disk reflects the new directives.
  8. Validate the SSH daemon configuration syntax before restarting the service. 
    $ sudo sshd -t

    No output from sshd -t indicates that the configuration is syntactically valid.

    Related: How to test SSH server configuration

  9. Restart the SSH service to apply the updated forwarding policy. 
    $ sudo systemctl restart ssh

    On some distributions the service name is sshd instead of ssh, for example sudo systemctl restart sshd.

    Related: How to manage the SSH server service with systemctl in Linux

  10. Confirm that the SSH service is running after the restart. 
    $ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-01-10 20:31:40 +08; 136ms ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 14689 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 14692 (sshd)
      Tasks: 1 (limit: 4546)
     Memory: 2.6M (peak: 3.6M)
        CPU: 31ms
     CGroup: /system.slice/ssh.service
             └─14692 \"sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups\"
##### snipped #####
  11. From a separate client host, attempt to establish a TCP tunnel and verify that forwarding is rejected. 
    $ ssh -v -L 10080:example.com:80 user@host.example.net
##### snipped #####
channel 2: open failed: administratively prohibited: open failed

    The administratively prohibited error confirms that SSH TCP forwarding is disabled by the server configuration.