How do I remove an SSH forwarded port

59

31

I used ssh -L 10002:192.168.0.30:10002 192.168.1.135 to establish port forwarding but now I need to remove it.

How do I do this?

user16654

Posted 2009-12-23T18:35:51.767

Reputation: 823

We often realize port is still being forwarded when we fire a new ssh session running same command again and getting Warning: remote port forwarding failed for listen port message. – GabLeRoux – 2016-01-08T22:38:12.570

Answers

60

If you are using Linux you can kill the process by:

ps aux | grep ssh

and then use

kill <id>

To kill the process.

If the kill command is not successfull you can try

kill -9 <id>

zpon

Posted 2009-12-23T18:35:51.767

Reputation: 832

2I usually do a one liner pgrep ssh | xargs kill. Don't use -9 for nothing indeed – GabLeRoux – 2016-01-08T22:35:09.663

2@GabLeRoux That assumes you only have a single ssh command, or that all the ssh commands you are running are fine to kill. This is hardly a good general assumption. – tripleee – 2016-04-14T09:11:44.173

I agree, knowing exactly what you're doing is way better :) When you use port forwarding at the same time, a good way to find out which pid it is is to run netstat -peanut, last column will be PID/Program name, grep the port you are looking for and you'll be way closer to the solution – GabLeRoux – 2016-04-14T12:44:16.327

@tripleee, but in what case a regular user that made a port tunnel, will have more ssh processes that might not be safe to kill? – Avamander – 2016-10-23T09:08:02.483

2@Avamander I connect to multiple ssh instances on multiple remote servers all the time, some of them without my direct active involvement. For example, Emacs Tramp mode opens an ssh connection behind the scenes when I visit a remote buffer. Some people use userspace filesystems which do something similar. It's not at all uncommon. In fact, I would assume single user, single ssh instance to be a minority fringe use case. If it works for you, good for you, but it's not good general advice. – tripleee – 2016-10-23T09:16:12.770

31No. No. No. Please, please, please do not use kill -9 until after you've tried just kill. Many processes will have signal handlers which will clean up their use of resources, cleanly close connections and other pre-shutdown tasks. If you kill with -9, the process dies immediately without doing the cleanup. Killing without -9 will work most of the time. – Doug Harris – 2009-12-23T18:44:59.293

18kill -9 without reason is like using a shotgun to kill a mosquito. :) – Darren Hall – 2009-12-23T21:24:22.763

24

When using ssh multiplexing, killing the ssh process is often undesirable (it kills all open connections with that host), and you cannot easily access the escape because "escape not available to multiplexed sessions". The right way is then to run the analogue of the forwarding command that you want to cancel, but adding -O cancel. For instance:

ssh -O cancel -L 10002:192.168.0.30:10002 192.168.1.135

This will disable this port forwarding without terminating the session. Again, this will only work if ssh multiplexing is in use for the connection to 192.168.1.135.

a3nm

Posted 2009-12-23T18:35:51.767

Reputation: 621

I'm so glad this exists and I found it, many thanks! – galva – 2017-09-15T11:39:20.710

2This is a best solution. To kill master just run ssh -O exit 192.168.1.135. – Tomilov Anatoliy – 2017-09-28T09:27:34.103

If you are not multiplexing sessions, see exhuma's excellent answer! (Thanks a3nm for catching my typo.) – Alan De Smet – 2018-07-17T20:25:16.050

awesome! this should be the picked answer! – Truong Nguyen – 2018-07-30T18:15:01.470

14

How to cancel a forwarded port in an already running SSH session:

  1. Press ~+C (tilde + capital C)
  2. Type -KL port
  3. Press Enter

You should see this:

ssh> -KL 10002
Canceled forwarding.

cambunctious

Posted 2009-12-23T18:35:51.767

Reputation: 529

12

You could use the "escape-key" (usually ~) followed by C to get a cli to your connection. You can from there remove tunnels without taking down your connection.

Jimmy Hedman

Posted 2009-12-23T18:35:51.767

Reputation: 886

1I'd like to know the specifics of this. I know you can add tunnels after you've SSH'd in, but have yet to find out how to take one down. – carestad – 2014-11-24T22:40:59.343

9When you are in CLI mode you could do help. -KL is the oppsite of -L, -KR is the oppsite of -R and -KD is the oppsite of -D. Doing "escape-key" (~) followed by # shows your tunnels. – Jimmy Hedman – 2014-11-28T11:02:43.373

1@JimmyHedman you might want to edit your answer additionally to adding a comment. It makes everything more readable. And sometimes comments are hidden (in case there are too many). – exhuma – 2016-02-19T15:51:05.483

7

You can enter an interactive console by typing ~C (capital "C"). This lets you dynamically add and remove port forwardings (among a few other things).

This sequence has to come right after a carriage return/newline. So in doubt, just type Enter~C (in sequence).

If you don't see the characters appear on the console, you're doing it right :)

You should now see an ssh> prompt.

To remove the port, simply enter -KL 10002 followed by Enter (where 10002 is your forwarded port).

The inverse - adding a new forward - can be done like this (from start to finish):

Enter~C

ssh> -L 10002:192.168.0.30:10002

Enter

exhuma

Posted 2009-12-23T18:35:51.767

Reputation: 847

This is the right answer if you're not multiplexing connections. If you are, you'll be bounced with ~C escape not available to multiplexed sessions. If that's the case, see a3nm's excellent answer. – Alan De Smet – 2018-07-16T21:20:48.500

Asked: 2009-12-23T18:35:51.767

Viewed: 75 055 times

Active: 2019-09-18T12:44:59.527