I’ve always been curious on ssh port forwarding enough to experiment and learn it to be deadly enough. I currently have two machines that I’d like to test this with, both -L (local) and -R (remote).
I have a C7 host behind a router and a C8 host on the internet that I’ll be testing with.
Our set up is the following:
192.168.2.222:22 (c7 Host) <-> 192.168.2.1:* (router) <-> 126.96.36.199:22 (c8 host)
What I’m going to do is forward port 4444 on my c7 machine to connect to the c8 host on port 22 by launching the following on 192.168.2.222:
$ ssh -L 192.168.2.222:4444:188.8.131.52:22 localhost
At this point I can start a SSH session to 192.168.2.222 at port 4444. I’m prompted to log in at 184.108.40.206, and i’m good to go. As long as the command is running I maintain a connection.
To remove the login necessity I added ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys for passwordless local log in.
Remote forwarding allows world-accessible hosts to provide access to internal hosts. In our previous scenario we forwarded from an intranetwork host to a world host. Now we’re gonna use that intranetwork host and make it so that if we SSH to the world host at port 4444 that we will be ssh-ing to our intranetwork host, bypassing the router.
On 192.168.2.222 I execute the following:
$ ssh -R 4444:localhost:22 220.127.116.11 -ldiffuser
On my world-accessible host I log in with “diffuser”, and the forwarding is set up.
On 18.104.22.168 I can ssh to localhost:4444 and connect as internaluser with ease:
$ ssh localhost -p 4444 -linternaluser
Due to how /etc/ssh/sshd_config has GatewayPorts set up by default I cannot connect with my home computer to my world-accessible host. I would have to restart sshd service after setting GatewayPorts=yes (by default it’s no)