SSH Port Forwarding


There are three types of port forwarding supported in PuTTY - Local, Remote and Dynamic. The first decision that needs to be made is which port to use for incoming connections. In theory any port between 1024 and 65535 can be used when forwarding ports - we will use ports 7071 to 7099 in this guide.

The best way of explaining the difference between Local and Remote port forwarding is by using an example setup -

Tunnelling VNC over SSH relies on the use of the loopback interface. Any traffic that a program sends to the loopback interface is immediately received on the computer from which it is sent. It is often used for testing software but is also used in SSH tunnelling and appears throughout this guide. The IP address used for the loopback interface is usually 127.0.0.1, however it can be any address within the 127.*.*.* range. The loopback IP address 127.*.*.* can be substituted with the hostname Localhost when a hostname needs to be specified. When 127.0.0.1 or Localhost is specified it essentially means connect back to this computer.

Local Port Forwarding


The syntax for local port forwarding is -
-L local_listen_port:destination_host:destination_port

Where -

If we wanted to access the home network from the office PC we would use Local port forwarding. To set up a SSH tunnel between office-PC1 and home-PC1 (the SSH Server) we could use the following command (remember home-PC1 has the TightVNC service running and is configured to listen on port 5900) -
-L 7071:127.0.0.1:5900
Note - this is equivilant to entering 7071 in the Source port box and 127.0.0.1:5900 in the Destination box in PuTTY.

To set up a SSH tunnel between office-PC1 and home-PC2 (which has the TightVNC service running and configured to listen on port 5901) we would use the command -L 7072:home-PC2:5901

To remote access the desktop of home-PC1 (Server) from the office (Client) start VNC viewer on the office PC and enter 127.0.0.1:7071 to connect to port 7071 on the loopback device (port 7071 on the office PC) - this will be redirected to port 5900 on the Server via the SSH tunnel.

To remote access the desktop of home-PC2 from the office (Client) start the VNC viewer on the office PC and enter 127.0.0.1:7072 to connect to port 7072 on the loopback device (port 7072 on the office PC) - this will be redirected to port 5901 on home-PC2 via the SSH tunnel.

Remote Port Forwarding


The syntax for remote port forwarding is -
-R remote_listen_port:destination_host:destination_port

Where -

If we wanted to access the office PC from home we would use Remote port forwarding. Prior to accessing the office PC from home a SSH Client must be used on the office PC to establish a connection with the home PC (the SSH server). To set up a SSH tunnel between office-PC1 and home-PC1 we could enter the following command (remember office-PC1 has the TightVNC service running and is configured to listen on port 5902) -
-R 7073:127.0.0.1:5902
Note - this is equivilant to entering 7073 in the Source port box and 127.0.0.1:5902 in the Destination box in PuTTY.

Now that a connection has been established it is possible to use the home PC to access the office. To remote access the desktop of office-PC1 (the office PC running the SSH Client) from home; start VNC viewer on the SSH Server and enter 127.0.0.1:7073 to connect to port 7073 on the loopback device (port 7073 on the Server) - this will be redirected to port 5902 on the Client via the SSH tunnel.

Dynamic Port Forwarding


Dynamic port forwarding (-D command-line option) is used for SOCKS proxy connections.

For more information on port forwarding refer to the PuTTY documentation here