I have two machines, m1 and m2, and machine m2 can connect to m1 using SSH. There is a machine m1bis that can only connect to m1, and there is a machine m2bis to which only m2 can connect. I would like to make it possible for m1bis to reach machine m2bis on some port q, by connecting to some port p of machine m1. Let's say that both p and q are unprivileged ports, i.e., they are greater than 1024. In pictures:
+-------+ q +----+ SSH +----+ p +-------+
| m1bis | ----> | m1 | <------ | m2 | ----> | m2bis |
+-------+ +----+ +----+ +-------+
I have shell access to m1 and m2. The usual way I would do this would be with an SSH reverse port forwards, by running the following on m2:
ssh -R *:q:m2bis:p m1
This makes the SSH daemon on m1 listen on port q on all interfaces, and relay any incoming connections to port p of machine m2bis. That way, when m1bis connects to port q of machine m1, the connection is routed by SSH from m1 to m2, and the connection actually happens on port p of machine m2bis. So far, so good.
The problem is that this requires the setting GatewayPorts=yes
to be enabled in the SSH server configuration on m1. However, it is not enabled, and I am not root on m1 so I cannot enable it.
However, it seems to me like there's nothing really preventing me from working around this and doing my port forwarding nevertheless: I have shell access to m1, I can have an SSH connection between m1 and m2, I can run a process on m1 that listens on port q on all interfaces (instead of having the SSH daemon do the listening) and that routes the connection through SSH. So essentially I have all necessary permissions to build my own port forward.
Can I actually do this, and is there an easy way to do it?
Additional requirements:
- As I'm not root on m1, I'd prefer a solution without complicated dependencies, ideally some bash script with common utilities like
netcat
,socat
, etc., or some self-contained C program. - I'm root on m2, if it helps (but in principle I don't think I should need this either).
- I do not trust the connection between m1 and m2, so the forwarding should be encrypted between m1 and m2 (i.e., it should really go over SSH).