Simple way to create a tunnel from one local port to another?

I have a development server, which is only accessible from, not 192.168.1.x:8000. As a quick hack, is there a way to set up something to listen on another port (say, 8001) so that from the local network I could connect 192.168.1.x:8001 and it would tunnel the traffic between the client and

Asked By: waitinforatrain


Using ssh is the easiest solution.

ssh -g -L 8001:localhost:8000 -f -N

This forwards the local port 8001 on your workstation to the localhost address on port 8000.
-g means allow other clients on my network to connect to port 8001 on my workstation. Otherwise only local clients on your workstation can connect to the forwarded port.
-N means all I am doing is forwarding ports, don’t start a shell.
-f means fork into background after a successful SSH connection and log-in.
Port 8001 will stay open for many connections, until ssh dies or is killed. If you happen to be on Windows, the excellent SSH client PuTTY can do this as well. Use 8001 as the local port and localhost:8000 and the destination and add a local port forwarding in settings. You can add it after a successful connect with PuTTY.

Answered By: penguin359

OpenBSD netcat is available by default on Linux and also on OS X.


mkfifo a
mkfifo b
nc 8000 < b > a &
nc -l 8001 < a > b &


mkfifo backpipe
nc -l 12345 0<backpipe | nc 80 1>backpipe

An alternative that works on OS X bash is to use a bidirectional pipe. It may work on other Unixes:

nc 8000 <&1 | nc -l 8001 >&0
Answered By: Mark A.

Using the traditional nc is the easiest solution:

nc -l -p 8001 -c "nc 8000"

This version of nc is in the netcat-traditional package on Ubuntu. (You have to update-alternatives or call it nc.traditional.)

Note that in contrast to ssh this is not encrypted. Keep that in mind if you use it outside one host.

Answered By: not-a-user

With socat on the server:

socat tcp-listen:8001,reuseaddr,fork tcp:localhost:8000

By default, socat will listen on TCP port 8001 on any IPv4 or IPv6 address (if supported) on the machine. You can restrict it to IPv4/6 by replacing tcp-listen with tcp4-listen or tcp6-listen, or to a specific local address by adding a ,bind=that-address.

Same for the connecting socket you’re proxying to, you can use any address in place of localhost, and replace tcp with tcp4 or tcp6 if you want to restrict the address resolution to IPv4 or IPv6 addresses.

Note that for the server listening on port 8000, the connection will appear as coming from the proxy (in the case of localhost, that will be localhost), not the original client. You’d need to use DNAT approaches (but which requires superuser privileges) for the server to be able to tell who’s the client.

Answered By: Stéphane Chazelas
iptables -t nat -A PREROUTING -p tcp --dport <origin-port> -j REDIRECT --to-port <destination-port>

service iptables save
service iptables restart
Answered By: Santanu Dey

Quoting a David Spillett‘s answer on ServerFault, replacing the missing link with a working repo:

rinetd should do the job, and a Windows binary for it can be had from (for anyone looking for the same thing under Linux, rinetd is in the standard repositories of just about every distro so can be installed with "apt-get install rinetd" or "yum install rinetd" or similar)

It is a simple binary that takes a configuration file in the format

bindaddress bindport connectaddress connectport

For example: 8001 8000

or 8001 8000

if you want to bind the incoming port to all the interfaces.

Answered By: psychowood

This is a new way to tunnel two udp ports on server:

udpeer 8001 8002

To test:

nc -u 8001
nc -u 8002
Answered By: 9crk

Based on Mark A.‘s answer, I had to make a small tweak to get it to work for my Mac (at least on macOS Mojave Version 10.14.4)

mkfifo a
mkfifo b
nc 8000 < b > a &
nc -l 8001 < a > b &
printf "" > a

That printf statement seems to be crucial. Otherwise the netcat command to connect to port 8000 will never actually try to connect, and the netcat command to listen on port 8001 will never actually listen on port 8001. Without the printf, every time I would try to connect to port 8001 I would get connection refused.

My assumption is that netcat must somehow block on stdin (maybe it’s trying to read it for some reason) before actually doing any Socket operations. As such, without the printf statement writing to fifo a, the netcat command will never start listening on port 8001.

Note: I would have left an answer on Mark’s post, but I don’t have reputation yet.

Answered By: Daniel K