29

I require constant SSH access to a host in our department, whose IP address is dynamically allocated. I've set up a remote SSH tunnel from the target host to one of our hosts that does posess a static ip address: 

ssh -f -N -g -R :22223:localhost:22 tunnelhost

When I point SSH at local port 22223 on the tunnel host, the tunnel works fine. My problem is that I cannot seem to get the tunnel bound to anything other than localhost, though - i.e. when I try to SSH remotely to tunnelhost:12323, there is no open port to receive it. I've also tried:

ssh -f -N -R :22223:localhost:22 tunnelhost -o GatewayPorts=yes

But still no luck. Netstat shows me: 

[me@tunnel_host ~]$ netstat -an | grep 22223
tcp        0      0 127.0.0.1:22223         0.0.0.0:*               LISTEN
tcp6       0      0 ::1:22223               :::*                    LISTEN

Confirming that the tunnel is only bound to localhost. I've added a port exception on the tunnel host, with firewalld-cmd, and ensured no network hardware is interfering with the connection. Any ideas as to what it could be?

Cheers, James.

Improve this question

1 Answer 1

Reset to default
43

You need to enable GatewayPorts=yes in the config for SSHd (/etc/ssh/sshd_config), not the client in order to enable binding to interfaces other than loopback on remote ports.

-o GatewayPorts=yes

Only works for local ports when passed to the ssh command.

Improve this answer
5
  • Darth Android, Thank you for your reply. It seems you are correct about -g and -o GatewayPorts only working for (-L)ocal tunnels. For the sake of completeness, here's a little more information about this issue, in case anyone else runs into it in future. bugs.debian.org/cgi-bin/bugreport.cgi?bug=228064
    – James Paul Turner
    Commented Jun 11, 2014 at 20:06
  • 6
    GatewayPorts=clientspecified is a somewhat more secure setting, see askubuntu.com/questions/50064/reverse-port-tunnelling. In this case, the empty bind address (trailing colon in :22223:localhost:2) is required.
    – Michael Goerz
    Commented Dec 24, 2016 at 14:11
  • 2
    I'd argue that the GatewayPorts=clientspecified setting itself isn't more secure, but rather it allows for more control over which connections will be bound to wildcard, versus just having them all bound to wildcard.
    – Nick
    Commented Feb 14, 2017 at 1:57
  • 2
    Also, restart sshd after modding the sshd_config (in case you forget)
    – Nick
    Commented Feb 14, 2017 at 1:57
  • 1
    ⚠️ Be aware that GatewayPorts=yes will open the forwarded ports to the world.
    – ccpizza
    Commented Aug 26, 2019 at 16:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .