SSH port-forwarding (Basic)

I think all of you are using SSH in your daily routines. However, do you use its full potential? Today’s topic is the SSH port-forwarding feature and how it can be use to achieve some interesting configurations.

I’m sure most of you are aware of the feature, but how many of you are using it? Personally, I’m a bit obsessed with it and have found numerous cases where this feature of SSH is a real life saver.

Let’s start with simple things and imagine that you have a server where you are running MySQL (as a backend for your website) and that you are not comfortable to work with MySQL neither through the MySQL command line interface nor through a web-interace like phpMyAdmin. Instead you prefer to use, say, MySQL WorkBench or something similar running on your local computer.

How one could do this? Well, I’ve seen a lot that people tend to configure the MySQL server to listen on a public interface (i.e. an interface that is reachable from the Internet), then access it from their computer directly. It’s not that bad if you have a static IP assigned to your computer and you added a firewall rule protecting the MySQL port on the server to be reachable from your IP address only, but what if you are behind some kind of NAT and the same IP address is shared among others in your network? What if you don’t have a static IP and the dynamic IP range assigned by your ISP is too broad? Overall, I personally don’t like running MySQL on a public interface since there were publicly known security vulnerabilities in the MySQL binary protocol, and I can assure you there will be more discovered over the time.

So, what should we do to access our remote database securely and conveniently? Run the MySQL server on (well, if your web server is located on another machine, you may want to bind MySQL to some internal interface – the network that links your servers only, e.g., and then use the SSH port-forwarding feature to setup a tunnel between your remote database and your local computer:

[root@localhost ~]# ssh -L3306: user@server

Here, -L3306: says that we want to be “mapped” to our local host to port 3306. While the SSH session is active any packet sent to localhost:3306 (on your computer) will be forwarded over the SSH encrypted channel to the remote server and then will be fed to remote’s This means that as long as your SSH session is alive you will be able to work with the remote MySQL server like it’s running on your local computer and you can use any MySQL tools locally.

Well, the above command was given for Linux, Mac OSX, and other Unix-based systems. For Windows, you can use PuTTY to achive the same. I found the following instructions for PuTTY.

OK, this is not a new topic and it was described many times here and there on the Internet, but I decided to write this article as a foundation for my further articles on this topic which will cover more advanced usage of the SSH port-forwarding feature. For example, I intend to document a configuration of the MySQL replication setup between two servers located at two different data centres where each server is a part of a server farm protected by a firewall.