SSH Tunneling on AIX: Complete Port Forwarding Guide

SSH tunneling (port forwarding) allows you to securely access services through an encrypted SSH connection. This guide covers all types of SSH tunneling on AIX with practical examples for database access, web services, and more.

Understanding SSH Tunneling

SSH tunneling creates encrypted channels between your local machine and remote services. Three types exist:

Type	Direction	Use Case
Local (-L)	Local → Remote	Access remote services from local machine
Remote (-R)	Remote → Local	Expose local services to remote network
Dynamic (-D)	SOCKS Proxy	Route all traffic through SSH

Local Port Forwarding (-L)

Local forwarding makes a remote service available on your local machine.

Syntax:

ssh -L [local_addr:]local_port:remote_host:remote_port user@ssh_server

Example 1: Access Remote Database

Your AIX server has a DB2 database on port 50000 that's only accessible locally. Access it from your workstation:

# Forward local port 50000 to AIX server's localhost:50000
ssh -L 50000:localhost:50000 admin@aix-server

# Now connect to DB2 using localhost:50000 from your workstation
db2 connect to MYDB host localhost port 50000

Example 2: Access Web Application Behind Firewall

A web application runs on internal server 10.10.1.50:8080, accessible only from your AIX jump host:

# Connect through AIX jump host
ssh -L 8080:10.10.1.50:8080 admin@aix-jumphost

# Access in browser: http://localhost:8080

Example 3: Access Remote MySQL/PostgreSQL

# PostgreSQL on remote AIX server
ssh -L 5432:localhost:5432 admin@aix-db-server

# MySQL on internal server via AIX jump host
ssh -L 3306:192.168.1.100:3306 admin@aix-jumphost

# Connect locally
psql -h localhost -p 5432 -U dbuser mydatabase

Example 4: Multiple Port Forwards

# Forward multiple ports in one connection
ssh -L 5432:db-server:5432 \
    -L 8080:web-server:80 \
    -L 6379:redis-server:6379 \
    admin@aix-jumphost

Bind to All Interfaces

By default, forwarded ports bind to localhost only. To allow other machines to use your tunnel:

# Bind to all interfaces (0.0.0.0)
ssh -L 0.0.0.0:8080:internal-server:80 admin@aix-jumphost

# Or specific interface
ssh -L 192.168.1.10:8080:internal-server:80 admin@aix-jumphost

Note: Requires GatewayPorts yes in server's sshd_config for remote forwarding.

Remote Port Forwarding (-R)

Remote forwarding exposes a local service to the remote network.

Syntax:

ssh -R [remote_addr:]remote_port:local_host:local_port user@ssh_server

Example 1: Expose Local Web Server

You're developing locally and want to show your work to someone on the AIX network:

# Expose local port 3000 on AIX server's port 8080
ssh -R 8080:localhost:3000 admin@aix-server

# Users on AIX network can access: http://aix-server:8080

Example 2: Expose Local Database for Remote Access

# Expose local PostgreSQL to AIX server
ssh -R 5432:localhost:5432 admin@aix-server

# From AIX server, connect to forwarded port
psql -h localhost -p 5432 -U myuser mydb

Example 3: Reverse Tunnel for Remote Support

Allow remote support to access your local machine:

# On your machine (behind NAT/firewall)
ssh -R 2222:localhost:22 support@public-server

# Support can now SSH to your machine via public-server
ssh -p 2222 youruser@localhost  # (run on public-server)

Enable GatewayPorts on Server

For remote forwards to be accessible from other hosts:

# In /etc/ssh/sshd_config on AIX server
GatewayPorts yes

# Restart SSH
stopsrc -s sshd && startsrc -s sshd

Dynamic Port Forwarding (-D) - SOCKS Proxy

Dynamic forwarding creates a SOCKS proxy that routes traffic through the SSH server.

Syntax:

ssh -D [local_addr:]local_port user@ssh_server

Example 1: Browse Internet Through AIX Server

# Create SOCKS5 proxy on local port 1080
ssh -D 1080 admin@aix-server

# Configure browser to use SOCKS5 proxy: localhost:1080
# All browser traffic now routes through aix-server

Example 2: Access Internal Network Resources

# Create SOCKS proxy through jump host
ssh -D 9050 admin@aix-jumphost

# Configure applications to use SOCKS5 proxy
# Now you can access any internal resource as if from aix-jumphost

Using SOCKS Proxy with curl

# Route curl through SOCKS proxy
curl --socks5 localhost:1080 http://internal-server/api

# Or with SOCKS5 and hostname resolution through proxy
curl --socks5-hostname localhost:1080 http://internal-server/api

Using SOCKS Proxy with Other Tools

# Use proxychains (if available)
proxychains curl http://internal-server/

# Or set environment variable
export ALL_PROXY=socks5://localhost:1080

Background and Persistent Tunnels

Run Tunnel in Background

# -f: Background after authentication
# -N: No remote command (just forwarding)
ssh -f -N -L 5432:localhost:5432 admin@aix-server

# Verify it's running
ps -ef | grep ssh

Keep Tunnel Alive

# -o ServerAliveInterval: Send keepalive every 60 seconds
# -o ServerAliveCountMax: Disconnect after 3 failed keepalives
ssh -o ServerAliveInterval=60 -o ServerAliveCountMax=3 \
    -L 5432:localhost:5432 admin@aix-server

Auto-Reconnecting Tunnel with autossh

If autossh is available:

# Install autossh (may need to compile on AIX)
# Basic usage
autossh -M 0 -f -N -L 5432:localhost:5432 admin@aix-server

# -M 0: Disable autossh monitoring port (use SSH keepalives instead)

Tunnel as a Service (AIX)

Create /etc/rc.d/rc2.d/S90tunnel:

#!/bin/ksh
# SSH Tunnel Service

TUNNEL_USER="tunneluser"
TUNNEL_KEY="/home/tunneluser/.ssh/tunnel_key"
REMOTE_HOST="aix-server"
LOCAL_PORT="5432"
REMOTE_PORT="5432"

case "$1" in
    start)
        echo "Starting SSH tunnel..."
        su - $TUNNEL_USER -c "ssh -f -N -o ServerAliveInterval=60 \
            -i $TUNNEL_KEY \
            -L ${LOCAL_PORT}:localhost:${REMOTE_PORT} \
            ${TUNNEL_USER}@${REMOTE_HOST}"
        ;;
    stop)
        echo "Stopping SSH tunnel..."
        pkill -f "ssh.*-L.*${LOCAL_PORT}:localhost:${REMOTE_PORT}"
        ;;
    status)
        pgrep -f "ssh.*-L.*${LOCAL_PORT}" > /dev/null && \
            echo "Tunnel is running" || echo "Tunnel is not running"
        ;;
    *)
        echo "Usage: $0 {start|stop|status}"
        exit 1
        ;;
esac

Set permissions:

chmod 755 /etc/rc.d/rc2.d/S90tunnel

SSH Config File for Tunnels

Simplify tunnel commands with ~/.ssh/config:

# Database tunnel
Host db-tunnel
    HostName aix-db-server
    User admin
    IdentityFile ~/.ssh/db_key
    LocalForward 5432 localhost:5432
    ServerAliveInterval 60
    ServerAliveCountMax 3

# Jump host with SOCKS proxy
Host jump-proxy
    HostName aix-jumphost
    User admin
    DynamicForward 1080
    ServerAliveInterval 60

# Web tunnel through jump host
Host web-tunnel
    HostName internal-web-server
    User admin
    ProxyJump aix-jumphost
    LocalForward 8080 localhost:80

# Multiple forwards
Host multi-tunnel
    HostName aix-server
    User admin
    LocalForward 5432 db-server:5432
    LocalForward 6379 redis-server:6379
    LocalForward 8080 web-server:80

Usage:

# Simply run
ssh -f -N db-tunnel
ssh -f -N jump-proxy
ssh web-tunnel

ProxyJump for Multi-Hop Connections

Access servers through multiple jump hosts:

# Direct command
ssh -J jumphost1,jumphost2 final-destination

# In SSH config
Host final-server
    HostName 10.10.1.50
    User admin
    ProxyJump aix-jumphost1,aix-jumphost2

Practical Use Cases

Case 1: Secure Database Administration

# Scenario: DB2 database on AIX, no direct network access
# Solution: Tunnel through SSH

# Create tunnel
ssh -f -N -L 50000:localhost:50000 dbadmin@aix-db-server

# Connect with DB2 client
db2 catalog tcpip node AIXTUN remote localhost server 50000
db2 catalog database PRODDB as PRODDB at node AIXTUN
db2 connect to PRODDB user dbadmin

Case 2: Access IBM WebSphere Console

# WebSphere admin console on internal AIX server
ssh -L 9043:localhost:9043 -L 9060:localhost:9060 admin@was-server

# Access in browser:
# https://localhost:9043/ibm/console
# http://localhost:9060/ibm/console

Case 3: Secure VNC Connection

# VNC server running on AIX (port 5901)
ssh -L 5901:localhost:5901 admin@aix-server

# Connect VNC viewer to localhost:5901
vncviewer localhost:5901

Case 4: Access AIX NIM Server

# NIM web interface on port 4901
ssh -L 4901:localhost:4901 admin@nim-server

# Access: https://localhost:4901

Case 5: SMTP Relay Through Tunnel

# Access internal SMTP server
ssh -L 2525:mail-server:25 admin@aix-jumphost

# Configure mail client to use localhost:2525 as SMTP

Troubleshooting SSH Tunnels

Tunnel Not Working

# Check if port is listening locally
netstat -an | grep LISTEN | grep 5432

# Check SSH process is running
ps -ef | grep "ssh.*-L"

# Test with verbose mode
ssh -v -L 5432:localhost:5432 admin@aix-server

"Address already in use"

# Find what's using the port
netstat -an | grep 5432
lsof -i :5432  # If lsof is available

# Use different local port
ssh -L 15432:localhost:5432 admin@aix-server

"Permission denied" for Ports Below 1024

Ports below 1024 require root:

# Use higher port
ssh -L 8080:localhost:80 admin@aix-server

# Or run SSH as root (not recommended)
sudo ssh -L 80:localhost:80 admin@aix-server

Connection Refused Through Tunnel

# Verify service is running on remote
ssh admin@aix-server "netstat -an | grep 5432"

# Check if service binds to localhost only vs all interfaces
ssh admin@aix-server "netstat -an | grep LISTEN | grep 5432"
# 127.0.0.1:5432 = localhost only
# 0.0.0.0:5432 = all interfaces

Tunnel Drops After Inactivity

# Add keepalive settings
ssh -o ServerAliveInterval=60 -o ServerAliveCountMax=3 \
    -L 5432:localhost:5432 admin@aix-server

# Or in ~/.ssh/config
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3

Security Considerations

Restrict Port Forwarding on Server

In /etc/ssh/sshd_config:

# Disable all forwarding
AllowTcpForwarding no

# Allow local forwarding only
AllowTcpForwarding local

# Disable remote forwarding bind to non-loopback
GatewayPorts no

# Restrict to specific users
Match User tunneluser
    AllowTcpForwarding yes
    PermitOpen localhost:5432 db-server:5432

Match User regularuser
    AllowTcpForwarding no

Use Dedicated Tunnel User

# Create restricted user on AIX
mkuser -a shell=/bin/false gecos="Tunnel Only User" tunneluser

# Allow only key auth, no password
chuser login=false tunneluser

# Set up key
mkdir -p /home/tunneluser/.ssh
echo "ssh-rsa AAAA..." > /home/tunneluser/.ssh/authorized_keys
chmod 700 /home/tunneluser/.ssh
chmod 600 /home/tunneluser/.ssh/authorized_keys
chown -R tunneluser:staff /home/tunneluser/.ssh

Limit Commands with authorized_keys

In /home/tunneluser/.ssh/authorized_keys:

# Restrict key to only forwarding, no shell
no-agent-forwarding,no-X11-forwarding,no-pty,permitopen="localhost:5432",command="/bin/false" ssh-rsa AAAA...

Related Guides

• AIX SSH Configuration - Complete SSH setup guide
• SCP and SFTP on AIX - Secure file transfer
• How to Restart SSH in AIX - SSH service management

Summary

SSH tunneling on AIX provides secure access to services:

• Local forwarding (-L): Access remote services locally
• Remote forwarding (-R): Expose local services remotely
• Dynamic forwarding (-D): Create SOCKS proxy

Key options: - -f -N: Background, no command - -o ServerAliveInterval=60: Keep tunnel alive - ~/.ssh/config: Simplify complex tunnel commands

Always consider security implications and restrict forwarding where possible.