How to Configure SSH Reverse Port Forwarding in PuTTY with Specific Bind Address


2 views

When setting up SSH reverse port forwarding (also called remote port forwarding) with PuTTY, you might want to expose a local service (e.g., a web server on port 80) through a remote server's public interface. By default, PuTTY binds the forwarded port to localhost, making it accessible only from the server itself. However, you may need to allow external connections.

To achieve this, two things are necessary:

  • The SSH server must have GatewayPorts enabled in sshd_config.
  • PuTTY must be configured to forward the port correctly.

Follow these steps in PuTTY:

  1. Open PuTTY and enter your server's hostname or IP.
  2. Navigate to Connection > SSH > Tunnels.
  3. In the Source port field, enter the remote port (e.g., 8080).
  4. In the Destination field, enter localhost:80 (or your local service's port).
  5. Select Remote and check Auto.
  6. For external binding, modify the source port to include the bind address: 0.0.0.0:8080.

If you prefer using the command line, here's the equivalent OpenSSH command:

ssh -R 0.0.0.0:8080:localhost:80 user@server.tld

After establishing the connection:

  • On the server, run netstat -tuln | grep 8080 to confirm the port is listening on all interfaces.
  • Test access from an external machine: curl http://server.tld:8080.

If it doesn't work:

  • Check /etc/ssh/sshd_config on the server for GatewayPorts yes.
  • Ensure no firewall is blocking port 8080.
  • Restart the SSH service after config changes: sudo systemctl restart sshd.

When establishing SSH reverse port forwarding through PuTTY, many developers face the challenge of exposing the forwarded port on the server's external interface rather than just localhost. By default, SSH binds forwarded ports to 127.0.0.1, which prevents external access.

To make port 8080 accessible on the server's external interface:

  1. Open PuTTY and navigate to Connection → SSH → Tunnels
  2. In the "Source port" field, enter: 8080
  3. In the "Destination" field, enter: localhost:80
  4. Select "Remote" radio button (for reverse forwarding)
  5. Check "Local ports accept connections from other hosts"

On the server's sshd_config file (/etc/ssh/sshd_config), ensure:


GatewayPorts yes

Then restart SSH service:


sudo systemctl restart sshd

After establishing the connection:


# On the server, check listening ports
ss -tulnp | grep 8080

# From external machine test connectivity
curl http://server.tld:8080

If you prefer command line SSH instead of PuTTY:


ssh -R 0.0.0.0:8080:localhost:80 user@server.tld

The 0.0.0.0 prefix explicitly binds to all interfaces.

  • Firewall rules blocking port 8080
  • SELinux restrictions on non-standard ports
  • Server network interface not properly configured
  • Missing GatewayPorts configuration