Why can I not connect to a reverse SSH tunnel port remotely, even with GatewayPorts enabled?
You need to enable GatewayPorts=yes
in the config for SSHd (/etc/ssh/sshd_config
), not the client in order to enable binding to interfaces other than loopback on remote ports.
-o GatewayPorts=yes
Only works for local ports when passed to the ssh
command.
Related videos on Youtube
![James Paul Turner](https://i.stack.imgur.com/ENck5.jpg?s=256&g=1)
James Paul Turner
Updated on September 18, 2022Comments
-
James Paul Turner almost 2 years
I require constant SSH access to a host in our department, whose IP address is dynamically allocated. I've set up a remote SSH tunnel from the target host to one of our hosts that does posess a static ip address:
ssh -f -N -g -R :22223:localhost:22 tunnelhost
When I point SSH at local port
22223
on the tunnel host, the tunnel works fine. My problem is that I cannot seem to get the tunnel bound to anything other than localhost, though - i.e. when I try to SSH remotely totunnelhost:12323
, there is no open port to receive it. I've also tried:ssh -f -N -R :22223:localhost:22 tunnelhost -o GatewayPorts=yes
But still no luck. Netstat shows me:
[me@tunnel_host ~]$ netstat -an | grep 22223 tcp 0 0 127.0.0.1:22223 0.0.0.0:* LISTEN tcp6 0 0 ::1:22223 :::* LISTEN
Confirming that the tunnel is only bound to localhost. I've added a port exception on the tunnel host, with firewalld-cmd, and ensured no network hardware is interfering with the connection. Any ideas as to what it could be?
Cheers, James.
-
James Paul Turner about 10 yearsDarth Android, Thank you for your reply. It seems you are correct about -g and -o GatewayPorts only working for (-L)ocal tunnels. For the sake of completeness, here's a little more information about this issue, in case anyone else runs into it in future. bugs.debian.org/cgi-bin/bugreport.cgi?bug=228064
-
Michael Goerz over 7 years
GatewayPorts=clientspecified
is a somewhat more secure setting, see askubuntu.com/questions/50064/reverse-port-tunnelling. In this case, the empty bind address (trailing colon in:22223:localhost:2
) is required. -
Nick over 7 yearsI'd argue that the
GatewayPorts=clientspecified
setting itself isn't more secure, but rather it allows for more control over which connections will be bound to wildcard, versus just having them all bound to wildcard. -
Nick over 7 yearsAlso, restart sshd after modding the sshd_config (in case you forget)
-
ccpizza almost 5 years⚠️ Be aware that
GatewayPorts=yes
will open the forwarded ports to the world.