SSH Local Port Forwarding: Fixing “Connection Refused” When Accessing Remote Host from External Machine


4 views

Here's the network topology we're working with:

  • HomePC: Your local machine
  • Host A: 10.100.64.112 - Directly accessible
  • Host B: 172.88.3.31 - Only accessible via Host A

The current SSH command creates a tunnel that only listens on localhost (127.0.0.1):

ssh bzaman@10.100.64.112 -L 4420:172.88.3.31:22

This is why you see in netstat:

tcp        0      0 127.0.0.1:4420              0.0.0.0:*                   LISTEN
tcp        0      0 ::1:4420                    :::*                        LISTEN

To make the forwarded port accessible from other machines, we need to modify the SSH command:

ssh bzaman@10.100.64.112 -L *:4420:172.88.3.31:22

The asterisk (*) tells SSH to bind to all available interfaces, not just localhost.

Before implementing this solution, be aware that:

  1. Opening the port to all interfaces makes it accessible to anyone on your network
  2. Consider adding firewall rules to restrict access
  3. For production environments, consider using SSH Gateway or VPN instead

If the asterisk syntax doesn't work, you can enable GatewayPorts in the SSH server configuration:

# On Host A's sshd_config
GatewayPorts clientspecified

Then restart the SSH service:

sudo systemctl restart sshd

After making these changes:

$ netstat -tuln | grep 4420
tcp        0      0 0.0.0.0:4420            0.0.0.0:*               LISTEN
tcp6       0      0 :::4420                 :::*                    LISTEN

Now you should be able to connect from HomePC:

ssh -p 4420 10.100.64.112
  • Check Host A's firewall: sudo ufw status
  • Verify SSH server config: sudo grep GatewayPorts /etc/ssh/sshd_config
  • Test connection with telnet: telnet 10.100.64.112 4420

Here's the network topology we're dealing with:

HomePC (Public IP) → [SSH] → Host A (10.100.64.112) → [Internal Network] → Host B (172.88.3.31)

The current SSH tunnel command being used on Host A:

ssh bzaman@10.100.64.112 -L 4420:172.88.3.31:22

The tunnel works when accessed from Host A's localhost (127.0.0.1) but fails when accessed from HomePC. The netstat output reveals why:

tcp    0    0 127.0.0.1:4420    0.0.0.0:*    LISTEN
tcp    0    0 ::1:4420           :::*         LISTEN

This shows the port is only bound to localhost interfaces (IPv4 127.0.0.1 and IPv6 ::1).

To allow connections from HomePC, we need to modify the SSH command to bind to all interfaces:

ssh bzaman@10.100.64.112 -L 0.0.0.0:4420:172.88.3.31:22

The key difference is 0.0.0.0: before the port number, which makes SSH listen on all network interfaces.

Before implementing this solution, consider these security implications:

  • Anyone who can reach Host A on port 4420 can attempt to connect to Host B
  • The connection will still require Host B's credentials
  • For better security, combine with firewall rules to restrict access

Another method is to enable GatewayPorts in Host A's SSH server configuration:

# Edit /etc/ssh/sshd_config on Host A
GatewayPorts yes

# Then restart SSH
sudo systemctl restart sshd

Then your original command will work remotely too.

After making changes, verify with netstat again:

sudo netstat -tulnp | grep 4420
tcp    0    0 0.0.0.0:4420    0.0.0.0:*    LISTEN
tcp6   0    0 :::4420         :::*         LISTEN

Now you should be able to connect from HomePC:

ssh 10.100.64.112 -p 4420