Local Port Forwarding
Suppose you want to access the SQL server (at port 3306 of the remote machine) from your local machine. But the SQL server is accessible only via public server. In order to access the SQL server from your local machine, you have to forward the connection by using the following command from your Local Machine.
ssh -L <local-machine ip>: <local port>:<mysql server ip>:3306 firstname.lastname@example.org
Basically, you are sshing into the public server and making the public server forward your port on the local machine to the remote machine at the port where the SQL server is hosted. A quite popular analogy to think about it would be to consider your local machine as “The Listener” and the remote machine as “The Speaker”.
Remote Port Forwarding / Reverse SSH
Let us consider a scenario where you have developed a website but doesn’t have a public address. So your friend can’t see it. To make it possible, you have to run the below command on your local machine:
ssh -R <friend-ip>:<friend port>:<local-ip>:<local port> user@common_server
Your friend just has to type this on his browser :
Voila! Your work is now visible to your friend :)
Dynamic Port Forwarding
Dynamic port forwarding makes use of a proxy server. Suppose you want to see some service hosted on some private IP like 10.204.220.3. Since it is private IP, you cannot access the service by directly using your browser. When you run the following command from your local machine:
ssh -D <local-ip>:1080 email@example.com
You basically transfer all traffic from 10.204.220.3 to your <local-ip>:1080. In the case considered in the diagram, local-ip is by default set as localhost. Now you can configure your browser to listen at localhost:1080.
Considering another example:
To replicate this example, you can run the following command on your local machine:
ssh -D 7777
All your laptop traffic is directed to port 7777. You would have to configure your browser to make a connection at localhost:7777. Now the traffic would get forwarded to the internet via the established secure channel. It is all about tricking the internet to believe that you are browsing from port 7777. However in reality you are hidden behind the SOCKS proxy server :)
It is sometimes confusing to understand the difference between the use case of local port forwarding and dynamic port forwarding. A simple way to think about it can be :
In local port forwarding, you open the local port in your machine and you specify the endpoint by mentioning “<mysql server ip>:3306” as considered in the first example.
In dynamic port forwarding, you just open the local port in your machine like 1080 and tell your application — the browser to use 1080. The browser will simply forward all its traffic to port 1080. And the browser traffic will end at 10.204.220.17 and vice versa.
The difference we notice is that in local port forwarding we have fixed the endpoint port by explicitly specifying it in the command (3306) but in the case of dynamic port forwarding the port at the endpoint is not fixed.