SSH Port Forwarding

Technical Background

Firewalls are often configured to block access to all services except essential ones like SSH, reducing the attack surface of a server. When you need temporary access to an internal service (like a web server running on port 80) without opening it publicly, SSH port forwarding provides a secure workaround. With a single SSH connection, you can tunnel traffic from a local port to a remote port, effectively “borrowing” your SSH access to securely reach otherwise blocked services.

Solution

Server Setup

  1. Deploy a server with the same configuration as in 03 Server Security Improvement

  2. Install and start Nginx:

    bash apt install Nginx -y systemctl status Nginx

  3. Verify that the webserver works by visiting

    bash http://<your-server-ip>

    Note

    You should see the Nginx welcome page.

SSH Only Firewall

In the Hetzner Cloud Console:

  1. Go to FirewallsCreate Firewall

  2. Edit to only keep one inbound TCP rule:

    • Protocol: TCP
    • Port: 22

  3. Remove HTTP (Port 80) access

    Warning

    Tunnel effect doesn't work if Port 80 rule was not removed

    Test that HTTP is now bloacked:

    bash curl http://<server-ip>

    Note

    Expected Output: curl: (7) Failed to connect to <server-ip> port 80: Connection refused

Forward Remote Port to Local Port

  1. Use SSH port forwarding from your local machine:

    bash ssh -L 2000:localhost:80 root@<your-server-ip>

    Note

    2000 -> local port on your workstation

    Note

    localhost:80 -> port 80 on the remote server (from its own perspective)

  2. Keep this SSH session running while testing.

Accessing Nginx

Open a browser in your local machine and navigate to:

```url
http://localhost:2000
```

!!! Info
    Even though port 80 is blocked externally, you now see the Nginx welcome page via the secure SSH tunnel.

SSH

SSH jump host

SSH Agent Forwarding Guide

OpenSSH Manual: ForwardAgent

Nginx

HTTP