SSH Reverse Tunnel


date: 2023-01-17


I have a machine behind a firewall that I want to temporarily allow a programmer access to. I do not have access to the firewall to add port forwarding to this machine.


SSH Reverse Tunnel solves that problem.


This took me quite a while to figure out. I probably won't write out all the details, but I did want to document that I solved it.


The programmer can now access the machine behind the firewall by connecting to a different machine on the internet at a specific port that forwards ssh to the machine behind the firewall. This command has to be run from the internal network, or in this case the machine we want to grant access to from the outside.


ssh -R 0.0.0.0:43023:localhost:22 sysadmin@machine-on-internet

The part that took me so long to figure out was the "0.0.0.0" before the first colon. This binds port 43023 (or whatever port you choose) to all ipv4 interfaces on that machine, including external ones, not just the internal loopback (localhost) device.


Then from anywhere else on the internet, you can run:


ssh -p 43023 user@machine-on-internet

That will connect you to the machine-on-internet, but pass you through to the reverse tunnel that was set up between the machine behind the firewall and machine-on-internet. You can then enter the password of the user of the machine behind the firewall and get an ssh session.


It is really quite amazing.


Web services, too


You can also use this to forward web services that are local network only to be accessible from the machine-on-internet. 


ssh -R 0.0.0.0:8888:192.168.1.17:80 sysadmin@machine-on-internet

This can be run on any machine on the same local network as 192.168.1.17 and allow's the web service on port 80 to be available from anywhere on the internet by connecting to port 8888 on machine-on-internet:


http://machine-on-internet:8888


For my own reference


I had to watch a video and rewind parts of it quite a few times to understant the concept. Then I had to search the web for quite a while before I found that 0.0.0.0:port# was needed to bind the port to an external interface on machine-on-internet.


It's a bit of a mind bender, but I think I understand it now... but probably won't remember the details after a while, which is why I'm writing this.


tags: #ssh