diff --git a/Dockerfile b/Dockerfile
index e95c4e0..adde9ca 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,6 +15,7 @@ RUN \
     logrotate \
     nano \
     netcat-openbsd \
+    socat \
     sudo && \
   echo "**** install openssh-server ****" && \
   if [ -z ${OPENSSH_RELEASE+x} ]; then \
diff --git a/README.md b/README.md
index 35e7072..7c69730 100644
--- a/README.md
+++ b/README.md
@@ -80,6 +80,19 @@ It is also possible to run multiple copies of this container with different port
 You can volume map your own text file to `/etc/motd` to override the message displayed upon connection.
 You can optionally set the docker argument `hostname`
 
+## Socat Forwarding
+
+This image includes `socat` which can be used to forward a local port to a remote address. This is disabled by default.
+To enable it, set `SOCAT_ENABLED=true` and configure the following variables:
+
+| Variable | Default | Description |
+| :--- | :--- | :--- |
+| `SOCAT_ENABLED` | `false` | Set to `true` to enable the service. |
+| `SOCAT_LISTEN_PORT` | `43388` | The port to listen on within the container. |
+| `SOCAT_TARGET_HOST` | `localhost` | The target host to forward traffic to. |
+| `SOCAT_TARGET_PORT` | `43389` | The target port on the target host. |
+| `SOCAT_LOG_LEVEL` | `-ddd` | Socat log level (e.g., `-d`, `-dd`, `-ddd`). |
+
 ## Key Generation
 
 This container has a helper script to generate an ssh private/public key. In order to generate a key please run:
@@ -120,6 +133,11 @@ services:
       - USER_PASSWORD_FILE=/path/to/file #optional
       - USER_NAME=linuxserver.io #optional
       - LOG_STDOUT= #optional
+      - SOCAT_ENABLED=false #optional
+      - SOCAT_LISTEN_PORT=43388 #optional
+      - SOCAT_TARGET_HOST=localhost #optional
+      - SOCAT_TARGET_PORT=43389 #optional
+      - SOCAT_LOG_LEVEL=-ddd #optional
     volumes:
       - /path/to/openssh-server/config:/config
     ports:
@@ -146,6 +164,11 @@ docker run -d \
   -e USER_PASSWORD_FILE=/path/to/file `#optional` \
   -e USER_NAME=linuxserver.io `#optional` \
   -e LOG_STDOUT= `#optional` \
+  -e SOCAT_ENABLED=false `#optional` \
+  -e SOCAT_LISTEN_PORT=43388 `#optional` \
+  -e SOCAT_TARGET_HOST=localhost `#optional` \
+  -e SOCAT_TARGET_PORT=43389 `#optional` \
+  -e SOCAT_LOG_LEVEL=-ddd `#optional` \
   -p 2222:2222 \
   -v /path/to/openssh-server/config:/config \
   --restart unless-stopped \
@@ -173,6 +196,11 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e USER_PASSWORD_FILE=/path/to/file` | Optionally specify a file that contains the password. This setting supersedes the `USER_PASSWORD` option (works with docker secrets). |
 | `-e USER_NAME=linuxserver.io` | Optionally specify a user name (Default:`linuxserver.io`) |
 | `-e LOG_STDOUT=` | Set to `true` to log to stdout instead of file. |
+| `-e SOCAT_ENABLED=false` | Set to `true` to enable socat forwarding. |
+| `-e SOCAT_LISTEN_PORT=43388` | Port socat listens on inside the container. |
+| `-e SOCAT_TARGET_HOST=localhost` | Target host for socat forwarding. |
+| `-e SOCAT_TARGET_PORT=43389` | Target port for socat forwarding. |
+| `-e SOCAT_LOG_LEVEL=-ddd` | Socat log level. |
 | `-v /config` | Contains all relevant configuration files. |
 
 ## Environment variables from files (Docker secrets)
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-socat/run b/root/etc/s6-overlay/s6-rc.d/svc-socat/run
new file mode 100755
index 0000000..579c024
--- /dev/null
+++ b/root/etc/s6-overlay/s6-rc.d/svc-socat/run
@@ -0,0 +1,18 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+SOCAT_ENABLED=${SOCAT_ENABLED:-false}
+SOCAT_LISTEN_PORT=${SOCAT_LISTEN_PORT:-43388}
+SOCAT_TARGET_HOST=${SOCAT_TARGET_HOST:-localhost}
+SOCAT_TARGET_PORT=${SOCAT_TARGET_PORT:-43389}
+SOCAT_Log_Level=${SOCAT_LOG_LEVEL:--ddd}
+
+if [[ "${SOCAT_ENABLED}" != "true" ]]; then
+    echo "Socat service disabled. Set SOCAT_ENABLED=true to enable."
+    exec sleep infinity
+fi
+
+echo "Starting socat forwarding: LISTEN:${SOCAT_LISTEN_PORT} -> ${SOCAT_TARGET_HOST}:${SOCAT_TARGET_PORT}"
+exec /usr/bin/socat ${SOCAT_Log_Level} \
+    TCP-LISTEN:${SOCAT_LISTEN_PORT},fork,reuseaddr \
+    TCP4:${SOCAT_TARGET_HOST}:${SOCAT_TARGET_PORT}
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-socat/type b/root/etc/s6-overlay/s6-rc.d/svc-socat/type
new file mode 100644
index 0000000..5883cff
--- /dev/null
+++ b/root/etc/s6-overlay/s6-rc.d/svc-socat/type
@@ -0,0 +1 @@
+longrun
diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-socat b/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-socat
new file mode 100644
index 0000000..e69de29