SSH Reverse Tunnel

What we will do in the situation where we want to access a node located behind a firewall, or locate in LAN behind a router. Quite impossible to access it. May be we can do port forwarding it the router to forward our packets to the target node, but we have to be the system administrator of the LAN to do it (or may be ask them to do).

However, if our target node is able contact us from the LAN, we still can access the node without disturbing our lovely system administrator. A tunnel between our node and the node will do the job. In this case, the tunnel is initiated by our target node. This is known as reverse tunnel.

Using ssh, you can set up this easily. Type the command as below:

# ssh -fNR [bind_address:]port:host:hostport] [user@]hostname

As example we want to access the target node (name: localhost) from our node (name: www.example.org). The port we want to access is port 22 and it will be accessible from our node at port 2222.

# ssh -fNR 2222:localhost:22 www.example.com

After that, the you are prompted password as usual. After successful login, the command quit but it will remains in background.

To access the target node, use our node to access the forwarded port (2222). So let say, if you want to ssh into the machine (because we have forwarded ssh port), we can use this command

# ssh localhost -p 2222

Then we will able to access the node in the LAN. This is valid for other ports as well. Cheers!

This entry was posted on Monday, March 26th, 2007 at 9:43 am and is filed under Command-Line, Open Source. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “SSH Reverse Tunnel”

  1. mozey Says:
    26 03 2007 at 2:49 pm | Reply

    snazzy, thank you

  2. Zeth Says:
    30 03 2007 at 7:23 pm | Reply

    Genius!

    I always assumed something like this was possible but never got around to finding this out. I’ll certainly be giving it a go!

    Best Wishes,
    Zeth

  3. Command Line Warriors » Blog Archive » This Week on the Command Line: Bring back CD-RWs but not the draft, also choose your dessert carefully! Says:
    30 03 2007 at 9:15 pm | Reply

    [...] at ‘Apt-Get Explore’, there is a how-to for creating an SSH Reverse Tunnel. Really handy [...]

  4. fadli79uk Says:
    3 04 2007 at 1:29 am | Reply

    Thank all for the appreciations. Apt-Get Explore mentioned in Command-Line Warriors… that awesome!

  5. G. Says:
    8 04 2007 at 5:24 pm | Reply

    also check autossh to keep the tunnel up

  6. fadli79uk Says:
    9 04 2007 at 4:07 am | Reply

    # autossh -M 2000 -NR 2222:localhost:22 http://www.example.com

    It give almost the same feature but
    1. it can not accept authentication by file.
    2. when connection terminated, i have to retype the password again to access http://www.example.com. is there any option to skip this?

  7. Adam Lofts Says:
    13 11 2007 at 11:09 pm | Reply

    Hi!

    Thanks for the tip. Proved very useful to me. One addition I would make is to mention that GatewayPorts should be set to “yes” or “clientspecified” in sshd_config in order to allow other computers to connect to our reverse forwarded port.

    Cheers
    Adam

Leave a Reply