ssh tunnel - allow remote connections on remote side?
December 11, 2006 8:42 PM Subscribe
How can I allow remote connections to the remote side of my ssh tunnel? -g doesn't work. Neither does GatewayPorts.
The situation: INSIDE---FIREWALL---OUTSIDE. The possible connection is ssh from INSIDE to OUTSIDE. I want to run a service on port 8080 of INSIDE. I want everybody in the world to be able to access it by connecting to OUTSIDE:8080.
ssh -R8080:localhost:8080 OUTSIDE does not work - that binds the 127.0.0.1 interface of OUTSIDE, not its public interface ... that is, only OUTSIDE itself can connect to its own port 8080.
Putting 'GatewayPorts yes' in OUTSIDE's /etc/ssh_config doesn't help.
I successfully solved the problem by embedding one tunnel in another - tunneling an ssh port from INSIDE to OUTSIDE, like this:
INSIDE$ ssh -R12345:INSIDE:22 OUTSIDE
OUTSIDE$ ssh -p 12345 -L8080:INSIDE:8080 localhost
but that seems unnecessarily contrived, and is highly inefficient.
Can anyone help?
Extra possibly vital information: INSIDE is Mac OS X, OUTSIDE is Windows XP running an up-to-date Cygwin.
The situation: INSIDE---FIREWALL---OUTSIDE. The possible connection is ssh from INSIDE to OUTSIDE. I want to run a service on port 8080 of INSIDE. I want everybody in the world to be able to access it by connecting to OUTSIDE:8080.
ssh -R8080:localhost:8080 OUTSIDE does not work - that binds the 127.0.0.1 interface of OUTSIDE, not its public interface ... that is, only OUTSIDE itself can connect to its own port 8080.
Putting 'GatewayPorts yes' in OUTSIDE's /etc/ssh_config doesn't help.
I successfully solved the problem by embedding one tunnel in another - tunneling an ssh port from INSIDE to OUTSIDE, like this:
INSIDE$ ssh -R12345:INSIDE:22 OUTSIDE
OUTSIDE$ ssh -p 12345 -L8080:INSIDE:8080 localhost
but that seems unnecessarily contrived, and is highly inefficient.
Can anyone help?
Extra possibly vital information: INSIDE is Mac OS X, OUTSIDE is Windows XP running an up-to-date Cygwin.
sbutler is right about the sshd_config. The other thing that may be tripping you up is that you want a hostname, not localhost:
ssh -v -R 8080:INSIDE:8080 OUTSIDE
With -v, you should see something like:
debug1: Remote connections from LOCALHOST:1234 forwarded to local address inside:5678
posted by aneel at 12:45 AM on December 12, 2006
ssh -v -R 8080:INSIDE:8080 OUTSIDE
With -v, you should see something like:
debug1: Remote connections from LOCALHOST:1234 forwarded to local address inside:5678
posted by aneel at 12:45 AM on December 12, 2006
Also, consider something that doesn't encrypt, instead of SSH through your (presumably secure) firewall. Netcat?
OUTSIDE$ nc -l -p 1234 | nc INSIDE 5678
Listens on port 1234 of OUTSIDE and sends the data to INSIDE:5678.
posted by aneel at 12:55 AM on December 12, 2006
OUTSIDE$ nc -l -p 1234 | nc INSIDE 5678
Listens on port 1234 of OUTSIDE and sends the data to INSIDE:5678.
posted by aneel at 12:55 AM on December 12, 2006
Oh. Note that that Netcat example is only good for one connection.
posted by aneel at 1:00 AM on December 12, 2006
posted by aneel at 1:00 AM on December 12, 2006
You need OpenSSH version 4.0 or higher, for which the syntax for -R is
(So you were on the right track, but GatewayPorts is just permission to bind to all interfaces, you still have to request it explicitly.)
posted by mendel at 4:38 AM on December 12, 2006
-R [bindaddress:]localport:remotehost:remoteportwhere an empty bindaddress or a bindaddress of "*" means to bind to all interfaces. This in turn requires the destination sshd to have GatewayPorts enabled. With OpenSSH prior to version 4 you cannot make -R bind to anything but localhost, and you'd have to do something at the other end with "-g -L".
(So you were on the right track, but GatewayPorts is just permission to bind to all interfaces, you still have to request it explicitly.)
posted by mendel at 4:38 AM on December 12, 2006
Response by poster: *Re-implants pulled-out-hair*
That simple, huh sbutler?
Thanks so much!
posted by dmd at 6:52 AM on December 12, 2006
That simple, huh sbutler?
Thanks so much!
posted by dmd at 6:52 AM on December 12, 2006
This thread is closed to new comments.
posted by sbutler at 8:59 PM on December 11, 2006 [2 favorites]