ssh – How to Set Up Remote Port Forwarding on SSH Server with Putty

port-forwardingputtyssh

I am trying to figure out SSH port forwarding and have not found success from looking at different questions and tutorials, it seems that everything I have seen is just a little different than my situation and I can't quite figure out how to apply it to mine.

I am running an application (A) from a Windows machine in an internal network (22.22.22.xx). This application must be hosted on this network. I also have a Linux SSH client/server (S) on a machine that has a network adapter card for the (22.22.22.xx) network as well as one for the (11.11.11.xx) network. I have an application client (C) running on Windows that has access to the SSH client but does not have access to the (22.22.22.xx) network therefore cannot access A directly. The set up is displayed below.

network setup diagram

I am trying to set up port forwarding from the SSH server so that the application client can reach the application server.

So far, I have been able to get local port forwarding working using PuTTY on the application client. I used this command (entered on PuTTY's UI):

ssh -L 8888:22.22.22.5:5555 user@11.11.11.4

From here I am able to go to localhost:8888 on 'C' and am tunneled through 'S' to reach the page being served on 'A'. However, in a perfect world, I would like to not have to open and run PuTTY on the client every time to access the page.

So, I am trying to find a way to set up remote port forwarding to forward a port, say 4444, on 'S' to 'A'. So that from 'C' I could simply go to 11.11.11.4:4444 and I am tunneled into 22.22.22.5:5555.

So far, I have tried running this on the command line in 'S':

ssh -R 4444:22.22.22.5:5555 user@localhost -o GatewayPorts=yes

When I ran this, it looked like I ssh-ed right back into the machine, I entered the credentials and tried going to 11.11.11.4:4444 from the client and I was not directed to the server. I also tried running this command (but from PuTTY) on 'A':

ssh -R 4444:localhost:5555 user@22.22.22.4 -o GatewayPorts=yes

From this I got a 'Remote port forwarding failed' message in the PuTTY event log.

I feel like I am very close to the solution and just have something confused in my commands or I am way off and don't understand what is going on at all.

Best Answer

You don't want a remote/reverse forwarding, although with the local version (your first example) there would be little difference, except it needs configuration on the server. The option GatewayPorts=yes is for the ssh server, not for the ssh client.

Try on the server S

ssh -g -L 4444:22.22.22.5:5555 user@localhost

Related Solutions

SSH – How to Recover from ‘Too Many Authentication Failures for User Root’

Are you sure that root login to ssh is allowed?

Check sshd_config and verify that root login is permitted. sshd will need to be restarted if the setting changes.

Ssh – Remote access to internal machine (ssh port-forwarding)

You need a NAT rule (to direct the traffic) and a regular firewall rule (to permit it).

The former will look something like

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination 192.168.122.50:22

The latter will look something like

iptables -A FORWARD -i eth0 -p tcp --dport 4444 -j ACCEPT

It's up to you to make sure those come at the right point in your existing PREROUTING and FORWARD chains, and in addition you may need a second firewall rule to permit the back-half of those connections out, if you don't already have a general ACCEPT for ESTABLISHED packets.

Edit: the order of your rules is extremely important. The right rule in the wrong place will do no good. Could you replace the grep output above with the result of iptables -L -n -v and iptables -t nat -L -n -v? And if you want port 4444 to be forwarded, don't run a local sshd also bound to that port.

Edit 2: and there's your problem. The ACCEPT you've added in the FORWARD chain is line 7, but line 4 has already explicitly denied all not-previously-permitted traffic from everywhere (*) to virbr0. You need to make arrangments for the line you've added to come before line 4, perhaps by adding the rule with

iptables -I FORWARD 4 -i eth0 -p tcp --dport 4444 -j ACCEPT

which will insert it at line 4, displacing the current line 4 to be line 5 (and so on).

Regarding the current sshd, I mean what I said: that you shouldn't have a daemon bound to port 4444 if you're trying to forward that port. I don't care what other ports it's bound to, only that 4444 is a bad idea.

Edit 3: the machine you're testing this from, this is completely outside the serv05 system, yes? And (after a very trying day putting Fedora 16 on several boxes) I fear you may be right, could you put a comparable ACCEPT rule for 4444 in the INPUT chain as well, being careful to get it before any REJECTs?

Best Answer

Related Solutions

SSH – How to Recover from ‘Too Many Authentication Failures for User Root’

Ssh – Remote access to internal machine (ssh port-forwarding)

Related Topic