5

I want to forward sshd (port 22) on machine X which has a non-routeable IP. The forwarding options are nc (which is horrible), inetd (requires privs), iptables (requires privs) and ssh. So I'm using ssh, which has the added bonus of providing an encrypted tunnel.

I have a machine Y with a public IP. I want to expose X:22 as Y:8022.

X $ ssh -R8022:localhost:22 Y

This works, but port 8022 is bound to the loopback:

Y $ netstat -ant
. . .  
tcp        0      0 127.0.0.1:8022          0.0.0.0:*               LISTEN

which means I cannot connect from any foreign machines. Since GatewayPorts is no in Y's /etc/ssh/sshd_config, I cannot specific another bind address. Any ideas?

Note: I did manage to get things working by using another tunnel from Y to Y:

Y $ ssh -g -L9022:localhost:8022 localhost

which is a very inefficient solution: it encrypts/decrypts on localhost from port 9022 to 8022, then encrypts again before sending to X. Surely there must be a better way?

JoSSte
  • 403
  • 3
  • 16
Fixee
  • 308
  • 1
  • 5
  • 14
  • Possible duplicate of [How to make ssh tunnel open to public?](http://superuser.com/questions/588591/how-to-make-ssh-tunnel-open-to-public) – Cees Timmerman Mar 09 '16 at 12:28

2 Answers2

1

Try to run something like socat after connected to Y?

ssh -R8022:localhost:22 Y socat tcp-listen:9022,fork,reuseaddr tcp:127.0.0.1:8022

Then you can connect to X through Y:9022

jack77213
  • 11
  • 1
  • can you confirm that this also works when Gatewayports is off? Some terminal output demonstrating it would make this answer excellent. – barlop Feb 10 '23 at 13:34
  • yes this works when Gatewayports is off. When `ssh -R8022:localhost:22 Y ` 8022 still bound to the loopback, then `socat tcp-listen:9022,fork tcp:127.0.0.1:8022` will relay any tcp connection to localhost:8088. socat bind to 0.0.0.0 by default. But this method requires addition tool `socat`. – jack77213 Feb 14 '23 at 13:35
1

since GatewayPorts is off, i haven't any solution <-- comment from answerer themselves.

Why do you use a reverse port forwarding?

On host Y:

ssh -f -N -q -L :8022:localhost:22 user@X should do the trick

-f: daemonize

-N: no command

-q: quiet

-L: port forward

-: leading: : is used to enable local port via all interfaces, not only localhost

barlop
  • 23,380
  • 43
  • 145
  • 225
maxxvw
  • 399
  • 4
  • 9
  • You can ssh from Y to X because (as noted in the question), X has a private IP. This means a reverse tunnel is required. – Fixee Apr 13 '13 at 20:14
  • ok, since GatewayPorts is off, i haven't any solution...sorry – maxxvw Apr 13 '13 at 20:50