Why can I not connect to a reverse SSH tunnel port remotely, even with GatewayPorts enabled?
2014-07
I require constant SSH access to a host in our department, whose IP address is dynamically allocated. I've set up a remote SSH tunnel from the target host to one of our hosts that does posess a static ip address:
ssh -f -N -g -R :22223:localhost:22 tunnelhost
When I point SSH at local port 22223
on the tunnel host, the tunnel works fine. My problem is that I cannot seem to get the tunnel bound to anything other than localhost, though - i.e. when I try to SSH remotely to tunnelhost:12323
, there is no open port to receive it. I've also tried:
ssh -f -N -R :22223:localhost:22 tunnelhost -o GatewayPorts=yes
But still no luck. Netstat shows me:
[me@tunnel_host ~]$ netstat -an | grep 22223
tcp 0 0 127.0.0.1:22223 0.0.0.0:* LISTEN
tcp6 0 0 ::1:22223 :::* LISTEN
Confirming that the tunnel is only bound to localhost. I've added a port exception on the tunnel host, with firewalld-cmd, and ensured no network hardware is interfering with the connection. Any ideas as to what it could be?
Cheers, James.
You need to enable GatewayPorts=yes
in the config for SSHd (/etc/ssh/sshd_config
), not the client in order to enable binding to interfaces other than loopback on remote ports.
-o GatewayPorts=yes
Only works for local ports when passed to the ssh
command.
Addendum:
I've seen question "Windows HTTP tunnel through 2 Linux hosts?" and trying to learn something about the answers. I learned. I will start giving my problem, and then talking a little about my tests with answers of that question.
I'm trying to connect my windows host to a linux host, using a middle linux (the only one with external IP).
What's my problem:
My windows host
doesn't have the ports I want open (game and traffic ports).
I have a linux host
that have the ports I want open.
So, the problem would be solved if I could make a ssh tunnel
through my windows host
to my linux host
. The problem is that both of then only have an internal IP (one is on my company, another is on my university).
The salvation: I have acces to my company's linux server
, that has an external IP (200.X.X.X).
So, I'd like to use this linux server
as an intermediate though my windows host
and my linux host
.
The complicating:
My linux server
only has the port 110 open. I can only connect through ssh to it using the 110 port.
In other words: I'm needing an example such that I can make:
windows host's
firefox, proxified to use localhost:9999
redirects its access to linux server
,
that redirects its access to my linux host
.
One (but not the only one) idea is reverse tunneling my linux host
to my linux server
, and then direct tunneling my windows host
to my linux server
, making this linux server
redirect my windows host
access to my linux host
.
But I do not know the commands to try that.
I tried, but with no success:
linux host: ssh -R 20000:localhost:22 [email protected] -p110
windows host: ssh -L 9999:localhost:20000 [email protected] -p110
How can I do that?
My environment, in another words:
Windows host
(internal IP == 10.X.X.X ; all ports open)
going through
Linux Server
(external IP == 200.X.X.X ; can only connect using ssh to it on port 110, the port 110 is the only open)
redirecting windows host traffic to
Linux Host
(internal IP == 192.X.X.X ; ports open, can connect using ssh on port 22)
Another addendum:
This would work if, on my linux server
, I could (in a perfect world) access my linux host
(what is impossible, given that I have an internal IP on my linux host
)
windows host: ssh -L 9999:localhost:9999 -D 9999 -p 110 [email protected]
linux server: ssh -D 9999 linux_host_user@linux_host_ip
Adapted from answer How to ssh to an unreachable remote machine by tunneling through a server that everyone can reach?
The "solution" that worked is:
on
linux-user
, I didssh -R 1234:localhost:22 [email protected] -p110
on
windows-user
, I didssh -L 1235:localhost:1234 [email protected] -p110
then,
- on
windows-user
, I didssh -D 9999 -p 1235 linux-user@localhost
and then, on windows-user
, I could configure firefox to use proxy socks localhost:9999, and could access a server running on my linux-user machine.
P.S.: For ssh on windows, I used cygwin to install openssh, to facilitate things.