Abstract
- A technique used to access a service running on a destination machine via an intermediate server as if it is local to the client machine. The intermediate server functions like a Forward Proxy (正向代理), the Server doesn’t know the actual identity of the client
Main purpose: accessing private services
The main purpose of local port forwarding is accessing private services running on a destination machine as if they are running on the client machine locally.
Client machine can be devices like our laptops that don’t have access to the destination machine, but have access to the intermediate server.
Intermediate server can Bastion host - Wikipedia that has direct access to the destination machine. The intermediate server will only relay traffic from the client machine only if the client machine passes the Authentication (using API key or SSH etc).
Destination machine can be your Database that blocks all access from the Internet and only allows connections from the Intermediate server to minimise the attack surface.
Refer to SSH Local Port Forwarding for a more visual and concrete explanation.
SSH Local Port Forwarding
-
Using SSH to build up a secure connection between the client machine and the intermediate server, this prevents man-in-the-middle attack. The data is transferred in the SSH Channel
-
The diagram below shows the SSH commands used to create a Local Port Forwarding to access private service that is running on the Intermediate server
- The diagram below shows the SSH commands used to create a Local Port Forwarding to access private service that is running on the destination machine via an Intermediate server (Bastion server)
Share private service access to other devices on the same network as the client machine
If your client machine is connected to a Local Area Network (LAN) and has a Private IP Address
192.168.31.3for example. When you run the SSH command, instead puttinglocalhost:8080as shown above, you can replace it with192.168.31.3:8080. This allows all other devices connected to the same LAN to access the private service running on the destination server side!
Fly.io App Port Forwarding
- Local Port Forwarding a local machine Network Port to a fly.io app container port
flyctl proxy <local_port>:<remote_port> -a <app_name>EC2 Port Forwarding
EC2 Configuration
Make sure you are using an Amazon Linux Image, or you have setup system manager on EC2
Use case
The EC2 Bastion is inside an AWS private subset, blocking all incoming traffic from the internet. With the help of AWS SSM, we are able to carry out Local Port Forwarding, so we are able to access the private service running on the bastion host or private services the bastion host has access to by accessing a localhost port.
- Port forward a local machine Network Port to a EC2 instance port
aws ssm start-session \
--target <ssm-managed-instance-id> \
--region <aws_region> \
--document-name AWS-StartPortForwardingSession \
--parameters portNumber=<ec2_port>,localPortNumber=<local_port>- Port forward a local machine Network Port to a private service the EC2 instance has access to
aws ssm start-session \
--target <ssm-managed-instance-id> \
--region <aws_region> \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"portNumber":["<3306>"],"localPortNumber":["<1053>"],"host":["<remote-database-host-name>"]}'References
- SSH Tunneling - Local & Remote Port Forwarding (by Example) - YouTube
- A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding
- New – Port Forwarding Using AWS System Manager Session Manager | AWS News Blog
- Use port forwarding in AWS Systems Manager Session Manager to connect to remote hosts | AWS Cloud Operations & Migrations Blog
- Start a session - AWS Systems Manager