Why can I not connect to a reverse SSH tunnel port remotely, even with GatewayPorts enabled?
You need to enable GatewayPorts=yes in the config for SSHd (/etc/ssh/sshd_config), not the client in order to enable binding to interfaces other than loopback on remote ports.
-o GatewayPorts=yes
Only works for local ports when passed to the ssh command.
Related videos on Youtube
17 : 43
07 : 39
02 : 03
![SSH Tunneling [Explained] | Reverse Shell over the Internet [WAN]](https://i.ytimg.com/vi/dKDgynsTAkw/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBjfK8NOkDinSlzt6iMN4q_yv04Pg)
20 : 24
24 : 11
James Paul Turner
Updated on September 18, 2022Comments
-
James Paul Turner almost 2 years
I require constant SSH access to a host in our department, whose IP address is dynamically allocated. I've set up a remote SSH tunnel from the target host to one of our hosts that does posess a static ip address:
ssh -f -N -g -R :22223:localhost:22 tunnelhostWhen I point SSH at local port
22223on the tunnel host, the tunnel works fine. My problem is that I cannot seem to get the tunnel bound to anything other than localhost, though - i.e. when I try to SSH remotely totunnelhost:12323, there is no open port to receive it. I've also tried:ssh -f -N -R :22223:localhost:22 tunnelhost -o GatewayPorts=yesBut still no luck. Netstat shows me:
[me@tunnel_host ~]$ netstat -an | grep 22223 tcp 0 0 127.0.0.1:22223 0.0.0.0:* LISTEN tcp6 0 0 ::1:22223 :::* LISTENConfirming that the tunnel is only bound to localhost. I've added a port exception on the tunnel host, with firewalld-cmd, and ensured no network hardware is interfering with the connection. Any ideas as to what it could be?
Cheers, James.
-
James Paul Turner about 10 yearsDarth Android, Thank you for your reply. It seems you are correct about -g and -o GatewayPorts only working for (-L)ocal tunnels. For the sake of completeness, here's a little more information about this issue, in case anyone else runs into it in future. bugs.debian.org/cgi-bin/bugreport.cgi?bug=228064
-
Michael Goerz over 7 years
GatewayPorts=clientspecifiedis a somewhat more secure setting, see askubuntu.com/questions/50064/reverse-port-tunnelling. In this case, the empty bind address (trailing colon in:22223:localhost:2) is required. -
Nick over 7 yearsI'd argue that the
GatewayPorts=clientspecifiedsetting itself isn't more secure, but rather it allows for more control over which connections will be bound to wildcard, versus just having them all bound to wildcard. -
Nick over 7 yearsAlso, restart sshd after modding the sshd_config (in case you forget)
-
ccpizza almost 5 years⚠️ Be aware thatGatewayPorts=yeswill open the forwarded ports to the world.
