An alternative would be to do is to do something like:
ssh -L 3000:10.0.0.5:3000 -L 3001:10.0.0.5:3001 .... -L 4000:10.0.0.5:4000 12.0.0.10
This will set up a thousand and one seperate ssh tunnels for each port. I have never tried setting up over a thousand simultaneous ssh tunnels, so I have no idea what the performance is going to be like, or if it's even going to work at all, or if you're going to have to set up multiple parallell ssh processes.
It's going to be a pretty long command line, I would suggest writing some kind of script to actually invoke the command.
All in all I would not recommend this, if at all possible, set up a VPN.
Is there any reason your users can't just connect to 12.0.0.10 directly? Or are the ports not exposed through the firewall? If not, can't you just open up the ports in the firewall from selected IP addresses, or do you have security considerations that don't let you do this?
I finally managed to accomplish this with ssh
only:
- start a local SOCKS proxy on your client machine (using
ssh -D
) EDIT: not necessary with SSH>7.6
- connect to remote server and setup a reverse port forwarding (
ssh -R
) to your local SOCKS proxy
- configure the server software to use the forwarded proxy
1. Start local socks proxy in the background
EDIT SSH>7.6 allow a simpler syntax to start the proxy. Skip this and continue with step 2!
Connect to localhost via SSH and open SOCKS proxy on port 54321.
$ ssh -f -N -D 54321 localhost
-f
runs SSH in the background.
Note: If you close the terminal where you started the command, the proxy process will be killed. Also remember to clean up after yourself by either closing the terminal window when you are done or by killing the process yourself!
2. connect to remote server and setup reverse port forwarding
Bind remote port 6666 to local port 54321. This makes your local socks proxy available to the remote site on port 6666.
$ ssh root@target -R6666:localhost:54321
EDIT SSH>7.6 allows a simpler syntax to start the proxy! Step 1 is not needed then:
$ ssh root@target -R6666:localhost
3. configure the server software to use the forwarded proxy
Just configure yum, apt, curl, wget or any other tool that supports SOCKS to use the proxy 127.0.0.1:6666
.
Voilá! Happy tunneling!
4. optional: install proxychains to make things easy
proxychains
installed on the target server enables any software to use the forwarded SOCKS proxy (even telnet
). It uses a LD_PRELOAD
trick to redirect TCP and DNS requests from arbitrary commands into a proxy and is really handy.
Setup /etc/proxychains.conf
to use the forwarded socks proxy:
[ProxyList]
# SSH reverse proxy
socks5 127.0.0.1 6666
Tunnel arbitrary tools (that use TCP) with proxychains
:
$ proxychains telnet google.com 80
$ proxychains yum update
$ proxychains apt-get update
Best Answer
In Linux:
I have written such program for private usage in Perl (prototype quality) and writing a better version in C. It is not yet published.
Update: now published: http://github.com/vi/socksredirect/ Use prototype.pl. Send me some notice if you interested in development of better version.
Update 2 Created a bit better version of it: http://github.com/vi/tcpsocks and a patch for Socat 2: http://github.com/vi/socksredirect/blob/master/socat-2.0.0-b3-REDIRECT.patch
P.S. Most of my (and sometimes some of neighbours') traffic now goes through the tcpsocks->ssh.