How to overcome incoming ssh firewalls through an intermediate relay ssh server
18 Aug 2017The way to forward ssh is as follows. I essentially read the openssh
cookbook here
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Tunnels
I have machine A (thinkpad), behind a firewall that cannot accept
incoming network connections. Then we have machine B (imac) that is also
behind a firewall that cannot accept incoming network connections. But
they can both connect to my home server. A simple schematic of the
allowed connections is as follows:
thinkpad --> shirl_dell_server
imac --> shirl_dell_server
I want to make a connection from
thinkpad --> imac
The way to do this is to use shirl_dell_server as a relay to
circumvent the firewall that prevents incoming connections on the
thinkpad and imac. For example, my University does this. The way to do
this is to establish one normal ssh tunnel and one reverse ssh tunnel.
- From thinkpad run
ssh -fN -L 9000:localhost:9000 shirl_dell_serverThis establishes a tunnel from local port 9000 (-L) to remote port
9000 on shirl_dell_server. The -N allows you not run any command
on the remote server -- it usually runs the login shell -- and the
-f allows the process to drop to the background. -
From the imac run
ssh -fN -R 9000:localhost:22 shirl_dell_serverThis establishs a reverse ssh tunnel from remote port 9000 (-R) to
the localport 22 where an sshd server is listening for incoming
connections. -
Then from thinkpad, run
ssh -p 9000 localhost -l usernameThis would get forwarded to the remote server's 9000 port through
the ssh tunnel. The remote server would forward the incoming traffic
on 9000 to the imac's port 22 through the reverse ssh tunnel.
This would then show you an ssh login prompt.
Note that you may have to enable to options
AllowTcpForwarding yes
PermitTunnel yes
Note that disabling AllowTcpForwarding does not improve security as the
sshd_config manpage says. Permitting tunnels, however, might decrease
security since it might allow you to circumvent other firewalls.