CS Notes

Recent Updates

See 587 more →

Local Port Forwarding

576 words, 3 min read
Last updated on May 04, 2024
🌟 Edit This Page!   🗓️ History

Xinyang YU

Abstract

  • A technique used to access a service running on a destination machine via an intermediate server as if it is local to the client machine. The intermediate server functions like a Forward Proxy (正向代理), the Server doesn’t know the actual identity of the client

Main purpose: accessing private services

The main purpose of local port forwarding is accessing private services running on a destination machine as if they are running on the client machine locally.

Client machine can be devices like our laptops that don’t have access to the destination machine, but have access to the intermediate server.

Intermediate server can Bastion host - Wikipedia that has direct access to the destination machine. The intermediate server will only relay traffic from the client machine only if the client machine passes the Authentication (using API key or SSH etc).

Destination machine can be your Database that blocks all access from the Internet and only allows connections from the Intermediate server to minimise the attack surface.

Refer to SSH Local Port Forwarding for a more visual and concrete explanation.

SSH Local Port Forwarding

  • Using SSH to build up a secure connection between the client machine and the intermediate server, this prevents man-in-the-middle attack. The data is transferred in the SSH Channel


  • The diagram below shows the SSH commands used to create a Local Port Forwarding to access private service that is running on the Intermediate server

  • The diagram below shows the SSH commands used to create a Local Port Forwarding to access private service that is running on the destination machine via an Intermediate server (Bastion server)

Share private service access to other devices on the same network as the client machine

If your client machine is connected to a Local Area Network (LAN) and has a Private IP Address 192.168.31.3 for example. When you run the SSH command, instead putting localhost:8080 as shown above, you can replace it with 192.168.31.3:8080. This allows all other devices connected to the same LAN to access the private service running on the destination server side!

Fly.io App Port Forwarding

flyctl proxy <local_port>:<remote_port> -a <app_name>

EC2 Port Forwarding

EC2 Configuration

Make sure you are using an Amazon Linux Image, or you have setup system manager on EC2

Use case

The EC2 Bastion is inside an AWS private subset, blocking all incoming traffic from the internet. With the help of AWS SSM, we are able to carry out Local Port Forwarding, so we are able to access the private service running on the bastion host or private services the bastion host has access to by accessing a localhost port.

  • Port forward a local machine Network Port to a EC2 instance port

aws ssm start-session \
--target <ssm-managed-instance-id> \
--region <aws_region> \
--document-name AWS-StartPortForwardingSession \
--parameters portNumber=<ec2_port>,localPortNumber=<local_port>
  • Port forward a local machine Network Port to a private service the EC2 instance has access to

aws ssm start-session \
--target <ssm-managed-instance-id> \
--region <aws_region> \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters '{"portNumber":["<3306>"],"localPortNumber":["<1053>"],"host":["<remote-database-host-name>"]}'

References

Backlinks

Graph View