> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-10/ssh/port-forwarding/trick-0358.md).

# SSH Tunnel Local NFS Port

***

Using SSH local port forwarding (`-L`) allows accessing a service bound only to `127.0.0.1` on the target machine, effectively bypassing localhost restrictions.

Local port forwarding, also known as SSH tunneling, allows you to forward traffic from your local machine's port to a port on a remote server. The syntax for local port forwarding is:

```bash
ssh -L [LOCAL_IP:]LOCAL_PORT:REMOTE_HOST:REMOTE_PORT [USER@]SSH_SERVER
```

Here, `LOCAL_IP` is the IP address on the local machine where the port will be bound (defaults to `localhost` if omitted and `GatewayPorts` is not enabled). `LOCAL_PORT` is the port number on the local machine. `REMOTE_HOST` is the host address that the SSH server will connect to, and `REMOTE_PORT` is the port on the `REMOTE_HOST`. `SSH_SERVER` is the remote SSH server or its IP address, and `USER` is the username on the remote SSH server.

In the specific case of accessing a service bound to the target's loopback interface, `REMOTE_HOST` is `127.0.0.1`. For instance, to map local port `1111` on the attacker to `127.0.0.1:2049` on the target:

```bash
ssh -L 1111:127.0.0.1:2049 paradox@10.10.139.53 -i id-ed25519
```

Once the SSH connection is established, you can connect to `127.0.0.1:1111` on your *attacker machine*, and the traffic will be forwarded through the SSH tunnel to the target's `127.0.0.1:2049`, effectively accessing the local-only service (like NFS in this example) as if it were running on your machine.

When tunneling services like NFS, which utilize multiple ports (e.g., portmapper on 111, mountd on 20048, nfsd on 2049), a single tunnel might not be sufficient for full functionality. You might need to set up multiple `-L` tunnels for each required port. For example, to tunnel portmapper (111), mountd (20048), and nfsd (2049):

```bash
ssh -L 111:127.0.0.1:111 -L 20048:127.0.0.1:20048 -L 2049:127.0.0.1:2049 user@remote_host
```

To keep the tunnel open without executing a remote command, the `-N` option can be used:

```bash
ssh -N -L 111:127.0.0.1:111 -L 20048:127.0.0.1:20048 -L 2049:127.0.0.1:2049 user@remote_host
```

After establishing the tunnel(s), you can then interact with the service on your local machine via `127.0.0.1` and the forwarded port. For the NFS example, you could mount the share on your local machine:

```bash
sudo mount -t nfs 127.0.0.1:remote_share /mnt/nfs
```
