Join 3,377 readers in helping fund MetaFilter (Hide)


ssh tunnel - allow remote connections on remote side?
December 11, 2006 8:42 PM   Subscribe

How can I allow remote connections to the remote side of my ssh tunnel? -g doesn't work. Neither does GatewayPorts.

The situation: INSIDE---FIREWALL---OUTSIDE. The possible connection is ssh from INSIDE to OUTSIDE. I want to run a service on port 8080 of INSIDE. I want everybody in the world to be able to access it by connecting to OUTSIDE:8080.

ssh -R8080:localhost:8080 OUTSIDE does not work - that binds the 127.0.0.1 interface of OUTSIDE, not its public interface ... that is, only OUTSIDE itself can connect to its own port 8080.

Putting 'GatewayPorts yes' in OUTSIDE's /etc/ssh_config doesn't help.

I successfully solved the problem by embedding one tunnel in another - tunneling an ssh port from INSIDE to OUTSIDE, like this:
INSIDE$ ssh -R12345:INSIDE:22 OUTSIDE
OUTSIDE$ ssh -p 12345 -L8080:INSIDE:8080 localhost

but that seems unnecessarily contrived, and is highly inefficient.

Can anyone help?

Extra possibly vital information: INSIDE is Mac OS X, OUTSIDE is Windows XP running an up-to-date Cygwin.
posted by dmd to Computers & Internet (6 answers total)
 
"GatewayPorts yes" belongs in /etc/sshd_config (since it's the remote server that needs to know to bind globally).
posted by sbutler at 8:59 PM on December 11, 2006 [2 favorites]


sbutler is right about the sshd_config. The other thing that may be tripping you up is that you want a hostname, not localhost:

ssh -v -R 8080:INSIDE:8080 OUTSIDE

With -v, you should see something like:
debug1: Remote connections from LOCALHOST:1234 forwarded to local address inside:5678
posted by aneel at 12:45 AM on December 12, 2006


Also, consider something that doesn't encrypt, instead of SSH through your (presumably secure) firewall. Netcat?

OUTSIDE$ nc -l -p 1234 | nc INSIDE 5678

Listens on port 1234 of OUTSIDE and sends the data to INSIDE:5678.
posted by aneel at 12:55 AM on December 12, 2006


Oh. Note that that Netcat example is only good for one connection.
posted by aneel at 1:00 AM on December 12, 2006


You need OpenSSH version 4.0 or higher, for which the syntax for -R is
-R [bindaddress:]localport:remotehost:remoteport
where an empty bindaddress or a bindaddress of "*" means to bind to all interfaces. This in turn requires the destination sshd to have GatewayPorts enabled. With OpenSSH prior to version 4 you cannot make -R bind to anything but localhost, and you'd have to do something at the other end with "-g -L".

(So you were on the right track, but GatewayPorts is just permission to bind to all interfaces, you still have to request it explicitly.)
posted by mendel at 4:38 AM on December 12, 2006


*Re-implants pulled-out-hair*
That simple, huh sbutler?
Thanks so much!
posted by dmd at 6:52 AM on December 12, 2006


« Older How do I gracefully become a (...   |  How do you classify the end of... Newer »
This thread is closed to new comments.