SSH Tunnels and Forwarding Cheat Sheet

SSH•Permalink

Local, remote, and dynamic SSH forwarding with practical database, web, and bastion tunnel recipes.

View

Standard Detailed Compact

Export

Copy the compact sheet, download it, or print it.

Download

`D` dense toggle · `C` copy all

Forwarding Basics

Local, remote, and SOCKS tunnels.

Create a local port forward

Forward a local port to a remote host and port.

↗#

bashANYsshtunnellocal-forward

bash

ssh -L 5432:db.internal:5432 bastion.example.com

Forward a local port to a remote host and port.

Create a remote port forward

Expose a local service on the remote host.

↗#

bashANYsshtunnelremote-forward

bash

ssh -R 8080:localhost:3000 user@example.com

Expose a local service on the remote host.

Create a SOCKS proxy

Open a local SOCKS proxy for browser or CLI traffic.

↗#

bashANYsshtunnelsocks

bash

ssh -D 1080 user@example.com

Open a local SOCKS proxy for browser or CLI traffic.

Run a tunnel in background

Create a tunnel without running a remote shell.

↗#

bashANYsshtunnelbackground

bash

ssh -fN -L 5432:db.internal:5432 bastion.example.com

Create a tunnel without running a remote shell.

Forward a UNIX socket

Forward a local UNIX socket to a remote UNIX socket.

↗#

bashANYsshtunnelunix-socket

bash

ssh -L /tmp/pg.sock:/var/run/postgresql/.s.PGSQL.5432 user@example.com

Forward a local UNIX socket to a remote UNIX socket.

Remote forward with gateway ports

Allow remote listeners to bind beyond localhost when server policy permits it.

↗#

bashANYsshtunnelgatewayports

bash

ssh -R 0.0.0.0:8080:localhost:3000 user@example.com

Allow remote listeners to bind beyond localhost when server policy permits it.

Tunnel Recipes

Practical DB, web, and multi-hop tunnel patterns.

PostgreSQL tunnel

Access a private PostgreSQL instance through a bastion.

↗#

bashANYsshpostgrestunnel

bash

ssh -fN -L 5432:postgres.internal:5432 bastion.example.com

Access a private PostgreSQL instance through a bastion.

MySQL tunnel

Access a private MySQL instance through a bastion.

↗#

bashANYsshmysqltunnel

bash

ssh -fN -L 3306:mysql.internal:3306 bastion.example.com

Access a private MySQL instance through a bastion.

Tunnel to Kubernetes API

Access a private API server locally.

↗#

bashANYsshkubernetestunnel

bash

ssh -fN -L 6443:k8s-api.internal:6443 bastion.example.com

Access a private API server locally.

Tunnel via jump host

Create a local forward through a ProxyJump bastion.

↗#

bashANYsshjumphosttunnel

bash

ssh -J bastion.example.com -L 9200:elastic.internal:9200 user@private.internal

Create a local forward through a ProxyJump bastion.

Clear configured forwards on command line

Override config-defined forwards for one invocation.

↗#

bashANYsshforwardingconfig

bash

ssh -o ClearAllForwardings=yes user@example.com

Override config-defined forwards for one invocation.

More in SSH

OpenSSH Server Admin Cheat Sheet

sshd administration, config validation, systemd control, logging, hardening, authorized keys, and certificates.

SCP and SFTP Cheat Sheet

SSH-based file transfer with scp and sftp, including recursive copies, jump hosts, interactive commands, and batch mode.

SSH Keys and Agent Cheat Sheet

SSH key generation, authorized_keys management, ssh-keyscan, host keys, ssh-agent, ssh-add, and certificate basics.

SSH Config Cheat Sheet

Client-side SSH configuration examples for aliases, defaults, patterns, includes, ProxyJump, multiplexing, and effective config inspection.

SSH Cheat Sheet

Comprehensive SSH client commands for login, remote execution, auth, multiplexing, jump hosts, and practical options.

Recommended next

No recommendations yet.

Browse all sheets →