SSH Remote Port Forwarding: Clarifying “GatewayPorts yes” Configuration on Client vs Server


2 views

When setting up remote port forwarding with SSH, there's persistent confusion about where to place the GatewayPorts yes directive. This configuration determines whether remote hosts can connect to forwarded ports, and its placement is crucial for proper functionality.

In SSH terminology:

Local Machine (client) → ssh command origin
Remote Machine (server) → sshd daemon running

The GatewayPorts setting must be configured on the remote SSH server (where sshd runs), not the local machine initiating the connection. This controls whether the server allows remote hosts to connect to forwarded ports.

On your remote server (typically running Linux):

# Edit sshd configuration
sudo nano /etc/ssh/sshd_config

# Add or modify the line
GatewayPorts yes

# Restart SSH service
sudo systemctl restart sshd

After configuring the server, you can establish forwarding from your client:

ssh -R 8080:localhost:80 user@remote-server

This makes the remote server's port 8080 accessible to other machines on its network, forwarding to your local port 80.

Be aware that enabling GatewayPorts:

  • Exposes forwarded ports to the server's network
  • Should be combined with firewall rules
  • May require additional authentication measures

If forwarding isn't working as expected:

  1. Verify sshd_config changes took effect
  2. Check server firewall rules
  3. Test connectivity with netcat or telnet

When setting up remote SSH port forwarding, there's persistent confusion about where to place the GatewayPorts yes directive. This critical setting determines whether remote hosts can connect to forwarded ports, but its placement depends entirely on your network architecture.

The GatewayPorts configuration must be set on the SSH server (the machine receiving the SSH connection), not the client machine where you run the ssh command. This is because port forwarding permissions are enforced at the server level.

# Correct placement (on SSH server)
# /etc/ssh/sshd_config
GatewayPorts yes

Consider this common remote port forwarding scenario:

# Client command (local machine)
ssh -R 8080:localhost:80 user@server.example.com

For external hosts to access port 8080 on server.example.com, the server's sshd_config must include:

# On server.example.com
Match Address *
    GatewayPorts yes
    AllowTcpForwarding yes

When enabling GatewayPorts, consider these security measures:

# Recommended secure configuration
Match Group portforwarders
    GatewayPorts clientspecified
    PermitOpen host:port

If your forwarded ports aren't accessible:

  1. Verify sshd_config changes with sudo sshd -t
  2. Restart SSH service: sudo systemctl restart sshd
  3. Check binding with netstat -tuln | grep 8080

For more granular control, use matching rules:

Match User deploy-user
    GatewayPorts yes
    PermitOpen 192.168.1.*:*
    
Match Group developers
    GatewayPorts no