6

I'm working with a server that is behind a firewall. I have established an ssh tunnel to an intermediate server in the internet like this:

remoteuser@behind_fw$ ssh -N -f -R 10002:localhost:22 middleuser@middle

But I can't connect directly throgh this server, this doesn't work:

user@local$ ssh remoteuser@middle -p 10002

I have to connect in two steps:

user@local$ ssh middleuser@middle middleuser@middle$ ssh remoteuser@localhost -p 10002

Output of netstat -l on middle:

tcp 0 0 localhost:10002 *:* LISTEN

but it should be something like this:

tcp 0 0 *:10002 *:* LISTEN

how can I achieve this?

Improve this question

2 Answers 2

Reset to default
11

This being a tunnel opened at a remote server, that server needs to have GatewayPorts set to yes in its /etc/ssh/sshd_config.

Depending on what kind of users that server have you might want to use the Match option to limit that capability to your user.

Match User middleuser GatewayPorts yes

Do note that you probably want to add this Match block in the end of your sshd_config, since a Match block goes on until another one begins, or the file ends.

That being said, how about instead trying what I'd consider a slightly cleaner solution?

user@local$ ssh -N -f -L 10002:behind_fw:22 middleuser@middle user@local$ ssh remoteuser@localhost -p 10002
Improve this answer
1
3

Assuming you are using OpenSSH you need to specify the bind address. Try something like: 

ssh -N -f -R *:10002:localhost:22 middleuser@middle

or

ssh -N -f -R :10002:localhost:22 middleuser@middle

The signature for -R is:

-R [bind_address:]port:host:hostport

on OpenSSH. For security reasons it defaults to localhost if you don't specify it. You might have to change GatewayPorts to get it to work depending on your config. See SSH(1) for more info.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.