Ssh – port forward to an established reverse ssh tunnel

port-forwardingssh

I have three computers, A, B and C. A has initiated a reverse ssh tunnel to B.

ssh  -nTNx -p 443 -R 22222:localhost:22 [user]@[server]

If I log in to B, I can use 'ssh -p 22222 localhost' and I get a login prompt for A.
If I try 'ssh -p 22222 [public IP of B]', it doesn't work

What I would like to be able to do is have C connect to A without needing to login to B. So from C I could 'ssh -p 22222 [public IP of B]' and I would get the login prompt for A.

I am using debian and shorewall and I have a basic understanding of how things work. I have tried various combinations of REDIRECT and DNAT rules, but haven't had any luck. I have tried using the same port (22222) and a different port (forwarding 22223 from C to 22222 on localhost).

Any ideas?

Best Answer

See the "Remote port forwarding for anyone at work !" section of this webpage. The article suggests that you should add the

GatewayPorts yes

option to your sshd_config on your HostB. That should cause the remote port forwarding on your HostB to listen on all of its network interfaces.

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

As you expected, this happens because SSH won't exit if there are outstanding connections going through the tunnel.

If you exit your browser (and all other programs that are going through the port 9000 tunnel) then SSH should exit.

The ssh man page says:

 The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections have been closed.

And I don't see any options to change that behavior, so I suspect there's nothing you can do.

Ssh – reverse ssh tunnel from server to laptop

ssh is configured for security reasons to make the new tunnels to listen on localhost. You have to use:

ssh -R :4445:localhost:80 sam@example.com

From the man page of openssh:

 -R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.

Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square braces or using an alternative syntax: [bind_address/]host/port/hostport.

By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server’s GatewayPorts option is enabled (see sshd_config(5)).

Best Answer

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

Ssh – reverse ssh tunnel from server to laptop

Related Topic