How to bypass firewall and NAT with reverse SSH Tunnel

Question

I\'m trying to generate an SSH server in a machine behind a router.

First I tried to bind the SSH to my public IP address:

ssh -R 10002:localhost:22          


        

Answer 1

As you said we have "destination machine" (where we wanto to connect to using ssh), "middle machine" (public server working as forwarder), "other computers" (any other computer on the net)

As @thomas-oster said you have to use

[destination computer] $ ssh -R 2222:localhost:22 ip_of_public_server

However, in order for the tunnel to bind to 0.0.0.0 instead of localhost, you have to use GatewayPorts in /etc/ssh/sshd_config on the "middle machine" (public server):

GatewayPorts yes

Of course you have to restart sshd after adding this option.

Read http://www.snailbook.com/faq/gatewayports.auto.html for an explanation: "by default SSH only listens for connections to the forwarded port on the loopback address"

This will allow you to connect from any computer on the net to your destination computer using the ip of the middle machine (public server):

[any computer on the net] $ ssh -p 2222 ip_of_public_server

Make sure your firewall on the public server allows connections to port 2222/tcp.

Answer 2

Is there a ssh-server running on the public "ip_address"? What you're trying to do is "open ssh connection to "ip_address" and then tunnel any incoming request on port 10002 to localhost:22".

If "ip-address" is the public IP address of your dsl-router, you have to create a port-forwarding in the router's configuration to your host:22.

If you do not have access to the router, the only possible thing would be if you had access to another server running ssh in the internet, from which you can tunnel.

# open a session to the public available machine and create a tunnel from port 10002 back  to your local sshd (22)
ssh -R 10002:localhost:22 ip_of_public_server
# as long as this session is open, all calls to the public available machine on port 10002 will be tunneled to your local machine (make sure sshd is running on port 22)
ssh -p 10002 ip_of_public_server

Answer 3

I recently stumbled upon the same problem, but without having root privileges on the SSH server.

As mentioned GatewayPorts yes is needed so also clients from network are able to connect to remote forwarding port on the SSH server. By default it is set to no. Thus if you don't have root privileges you cannot change SSHD settings to set GatewayPorts option to true. But in that case you can use the following workaround:

ssh -R 4041:localhost:22 myserver.com 'socat TCP-LISTEN:4040,fork TCP:127.0.0.1:4041'

socat is a great network utility which binds a TCP port 4040 on interface 0.0.0.0 so it is visible from network and redirects all traffic to the 127.0.0.1:4041 where SSHD is listening and redirecting it to your client's port 22.

Thus if somebody wants to connect your local SSH on port 22 as you described (on the client) he does:

ssh -p 4040 myserver.com 

and it works like this:

SSH client --> myserver.com:4040 (socat) --> 127.0.0.1:4041 (myserver.com, SSHD) --> SSH client port 22

socat can be either built from sources or already installed on the system. It is present in the RPMForge repositories for RHEL/CentOS (however if you don't have root privileges you cannot install it).