How to enable public access to SSH tunnel with port forwarding

By default, an SSH tunnel only listens on the localhost, typically the loopback IP address 127.0.0.1. This configuration restricts the tunnel to local access, preventing other hosts from connecting. To allow public access, the tunnel must be set to listen on an external IP address, making it reachable from other systems.

Allowing public access requires specifying the desired IP address when creating the tunnel. This change ensures that the tunnel can accept connections from remote hosts. Additionally, you need to configure the firewall to permit incoming connections on the specified port.

Configuring an SSH tunnel for public access involves setting the correct listening IP and adjusting the firewall. These steps enable secure access to the tunnel from external locations, expanding the utility of SSH in network management.

Steps to enable public access to SSH tunnel:

Identify the external IP address of your host.

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:08:63:73 brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.111.27/24 brd 192.168.111.255 scope global dynamic noprefixroute ens33
       valid_lft 66553sec preferred_lft 66553sec
    inet6 fe80::fc5d:1d5c:ae0e:68f1/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Create an SSH tunnel that listens on this external IP address.
```
$ ssh -fN -D 192.168.111.27:8080 192.168.111.29
user@192.168.111.29's password:
```
Related: How to create an SSH SOCKS proxy

Verify that the tunnel is active and listening on the specified IP.

$ ss -natp | grep 8080
LISTEN 0      128    192.168.111.27:8080         0.0.0.0:*    users:(("ssh",pid=2966,fd=4))

Configure the firewall to allow incoming connections to the tunnel port if firewall is enabled.

$ sudo ufw allow 8080 # Ubuntu and Debian variance
$ sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp && sudo firewall-cmd --reload # CentOS and Red Hat variance

Test access to the tunnel from a remote host to confirm connectivity.

$ curl --proxy socks5://192.168.111.27:8080 https://ifconfig.me
115.131.92.137

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.