Remote port forwarding through a jump server

networking port-forwarding remote ssh-tunnel

7,315

I finally found the solution to my problem on another SlackExchange community, see this post.

It consists in using the -J option ( it's a shortcut for a ProxyCommand or ProxyJump option, but available for openssh >= 7.3). Applied to my usecase, it gives the following from the L server:

ssh -fNT -R 1025:127.0.0.1:1025 -J user@J_IP user@T_IP

7,315

jmon12

Updated on September 18, 2022

Comments

jmon12 almost 2 years
I have the following usecase of remote port forwarding using ssh. I have a licensing server (L) on my local network. I want the licensing to be able from a target server (T). T is only accessible via a jumpbox (J). For the licensing to work, I need two specific ports to be accessible to T. I don't want to locally forward them from T for reasons I won't develop here. So to sum-up, I need to remotely forward a port, let's say 1025 as follows:

L --> J --> T

Current solution

For now, I'm just doing two remote port forwardings as follows (the suffix "_IP" refers to the relevant IP adress)
- From L: ssh -fNT -R 1025:127.0.0.1:1025 user@J_IP
- From J: ssh -fNT -R 1025:127.0.0.1:1025 user@T_IP
And everything works as it should.

Wanted solution

For usability and security reasons, I'd like the forwarding to be done with one tunnel, or at least one command. Ideally, the forwarded ports should not be available from J. After having read some ssh documentation and blogs, I came up with the following command from L:
```
ssh -fNT -R T_IP:1025:127.0.0.1:1025 user@J_IP
```
It doesn't work. The sshd logs on J show a successful authentication. First of all, is it correct in theory? Should I additionally configure T?

NB: I'm usually doing something similar for directly ssh to T with local port forwarding on my machine, and I thought it would be fairly similar:
```
ssh -fNT -L [127.0.0.1:]2222:T_IP:22 user@J_IP
ssh -p 2222 user@localhost
```
Relevant configuration details: J has the following options in /etc/ssh/sshd_config:
```
AllowTcpForwarding yes
GatewayPorts yes
```
Performed tests: I also have to say that I'm not a linux expert, so I'm not able to get all the possible causes of it not to work. These are the the scenarios it has been tried with:
- GatewayPorts yes on T
- Firewall disabled on all involved machines
Versions: all the involved machines are using centos/RHEL 7.5. openssh 7.4 is in use. Outcome of ssh -V:
```
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
```
Suggestions
1. Should I have a more exotic use of ssh, i.e. use of ProxyCommand or RemoteCommand?
2. Am I missing some configuration point, either of the OS or ssh itself?
PS: it's my first question on Stack, I'm probably forgetting key information. I'll try to be as reactive as possible in the comments.