Home > bash > ssh – Local Port Forwarding

ssh – Local Port Forwarding

1. I have a devpi server on (devpi-server) on port 3141 on a vagrant box.
2. I have code on (mybox) that will install software cached by
3. I have dh-virtualenv that is used when building debian packages that explicitly points to

The issue is that because of 3, when someone else checks out my code, they need to remember to manually change the IP address. This is not acceptable. I can do better.

Port forward to localhost:3141 and use that in the configuration file. That way when someone checks out my code they just need to ensure that they have devpi-server listening on their localhost. Everyone is happy.

1. On a terminal on my dev box aka mybox I run netstat to check what is listening if anything on port 3141.

NETSTAT(8) Linux Programmer’s Manual NETSTAT(8)

netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

netstat [address_family_options] [–tcp|-t] [–udp|-u] [–raw|-w] [–listening|-l] [–all|-a] [–numeric|-n] [–numeric-hosts] [–numeric-ports] [–numeric-users] [–symbolic|-N]
[–extend|-e[–extend|-e]] [–timers|-o] [–program|-p] [–verbose|-v] [–continuous|-c]

mybox:~ $ netstat --tcp --listening --numeric --program --udp | grep 3141
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

As per above output, I have nothing on 3141. From the ssh man page. I am interested in the -L option.

SSH(1) BSD General Commands Manual SSH(1)

ssh — OpenSSH SSH client (remote login program)

ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q cipher | cipher-auth | mac | kex | key]
[-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]

ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted com‐
munications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP ports can also be forwarded over the secure channel.

-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on
the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is
made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified by enclosing the address in
square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit
bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty
address or ‘*’ indicates that the port should be available from all interfaces.

2. I then connect to the devpi-server from the dev box using ssh.

mybox:~ $ ssh -L localhost:3141: vagrant@


mybox:~ $ ssh -L 3141: vagrant@

3. I open up another terminal on the dev box and run netstat:

 mybox:~ $ netstat -tlnup | grep 3141
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0*               LISTEN      2047/ssh
tcp6       0      0 ::1:3141                :::*                    LISTEN      2047/ssh

This means that my traffic for is being forwarded through to the devpi-server.



  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: