Skip to main content

7. TCP/IP Port Forwarding

7. TCP/IP Port Forwarding

7.1. Requesting Port Forwarding

A party need not explicitly request forwardings from its own end to the other direction. However, if it wishes that connections to a port on the other side be forwarded to the local side, it must explicitly request this.

byte      SSH_MSG_GLOBAL_REQUEST
string    "tcpip-forward"
boolean   want reply
string    address to bind (e.g., "0.0.0.0")
uint32    port number to bind

The address to bind and port number to bind specify the IP address (or domain name) and port on which connections for forwarding are to be accepted. Some strings used for address to bind have special-case semantics.

  • "" means that connections are to be accepted on all protocol families supported by the SSH implementation.

  • "0.0.0.0" means to listen on all IPv4 addresses.

  • "::" means to listen on all IPv6 addresses.

  • "localhost" means to listen on all protocol families supported by the SSH implementation on loopback addresses only ([RFC3330] and [RFC3513]).

  • "127.0.0.1" and "::1" indicate listening on the loopback interfaces for IPv4 and IPv6, respectively.

Note that the client can still filter connections based on information passed in the open request.

Implementations should only allow forwarding privileged ports if the user has been authenticated as a privileged user.

Client implementations SHOULD reject these messages; they are normally only sent by the client.

If a client passes 0 as port number to bind and has want reply as TRUE, then the server allocates the next available unprivileged port number and replies with the following message; otherwise, there is no response-specific data.

byte     SSH_MSG_REQUEST_SUCCESS
uint32   port that was bound on the server

A port forwarding can be canceled with the following message. Note that channel open requests may be received until a reply to this message is received.

byte      SSH_MSG_GLOBAL_REQUEST
string    "cancel-tcpip-forward"
boolean   want reply
string    address_to_bind (e.g., "127.0.0.1")
uint32    port number to bind

Client implementations SHOULD reject these messages; they are normally only sent by the client.

7.2. TCP/IP Forwarding Channels

When a connection comes to a port for which remote forwarding has been requested, a channel is opened to forward the port to the other side.

byte      SSH_MSG_CHANNEL_OPEN
string    "forwarded-tcpip"
uint32    sender channel
uint32    initial window size
uint32    maximum packet size
string    address that was connected
uint32    port that was connected
string    originator IP address
uint32    originator port

Implementations MUST reject these messages unless they have previously requested a remote TCP/IP port forwarding with the given port number.

When a connection comes to a locally forwarded TCP/IP port, the following packet is sent to the other side. Note that these messages MAY also be sent for ports for which no forwarding has been explicitly requested. The receiving side must decide whether to allow the forwarding.

byte      SSH_MSG_CHANNEL_OPEN
string    "direct-tcpip"
uint32    sender channel
uint32    initial window size
uint32    maximum packet size
string    host to connect
uint32    port to connect
string    originator IP address
uint32    originator port

The host to connect and port to connect specify the TCP/IP host and port where the recipient should connect the channel. The host to connect may be either a domain name or a numeric IP address.

The originator IP address is the numeric IP address of the machine from where the connection request originates, and the originator port is the port on the host from where the connection originated.

Forwarded TCP/IP channels are independent of any sessions, and closing a session channel does not in any way imply that forwarded connections should be closed.

Client implementations SHOULD reject direct TCP/IP open requests for security reasons.

Last updated on