4
ssh user@server -R server:port1:localhost:port2

This way ssh will forward requests to server:port1 to localhost:port2, but anyone can connect to server:port1.

So I'm wondering of there's something that can do this but at the same time supports authentication?

SparedWhisle
  • 4,025
  • 1
  • 20
  • 30
  • 1
    what authentication? You can't simply do authentication on the TCP level. – Jakuje Jan 11 '17 at 15:20
  • @Jakuje so this is technically impossible? – SparedWhisle Jan 12 '17 at 10:17
  • 1
    If you state it this way, no. If you create the forwarding only on `localhost`, then you need co authenticate to the `server` using `ssh` and only then you can connect to the `localhost` port, if that would be enough. – Jakuje Jan 12 '17 at 10:19
  • 1
    Does this answer your question? [Securing SSH port forwarding?](https://superuser.com/questions/1679106/securing-ssh-port-forwarding) – Kamil Maciorowski Aug 02 '22 at 19:28

1 Answers1

0

You can easily do this using another ssh tunnel from your local machine.

First, you have to block external connections to port1 of your server using iptables:

iptables -A INPUT -p tcp --dport port1 -i eth0 -j DROP

where eth0 is your WAN port.

Then create direct tunnel at port1 of your server from local port 5000 and this very step requires authentication

ssh -L user@server 5000:localhost:port1

Now you can connect to 5000 port of your local machine as if you connect to server:port1.

Oleg Bolden
  • 1,687
  • 14
  • 14