Linux – SSH: Troubleshooting “Remote port forwarding failed for listen port” errors

linuxnetworkingportport-forwardingssh

Question: Why does ssh -N -R 2222:localhost:22 <bluehost_user>@<bluehost_ip> result in a "Remote port forwarding failed for listen port" error? The objective is to establish a reverse tunnel with port forwarding in order to consistently ssh into a host behind a NAT router that has a dynamic private IP. See image for details.

Already Tried:

Researched existing literature on Google, Stackoverflow, etc. There are topics concerning this error message, however the resolutions given resolve root causes different than that of this particular instance because those resolutions do not resolve the error in this case.
I've performed several diagnostics to validate the required ports are open. Some of those results are shown in the image below.

Reverse SSH Tunnel

Update

I was trying the following command for Step 2:
reduser@redhost:~ ssh greenuser@greenhost -p 2222

It should be:
reduser@redhost:~ ssh greenuser@bluehost -p 2222
You want to use the greenuser credentials on the bluehost IP because the host you are loging into when you use port 2222 is really the greenhost.

Best Answer

Why does ssh -N -R 2222:localhost:22 <bluehost_user>@<bluehost_ip> result in a "Remote port forwarding failed for listen port" error?

I get this exact warning when I attempt to use a port that is already taken on the remote side.

The output of netstat from bluehost indicates that something is already listening on port 2222 there. It doesn't show what it is though.

Solutions:

Change 2222 in your ssh invocation to some other port which is not in use on bluehost. Just make it greater than 1023 because regular users can't bind to well-known ports; otherwise you will get the same warning regardless of whether the port is in use or not.
Or identify the listening process (on bluehost) with sudo lsof -i TCP:2222; terminate or reconfigure it to make the port 2222 available.

Edit:

In your case this part of man ssh seems important:

-R [bind_address:]port:host:hostport
-R [bind_address:]port:local_socket
-R remote_socket:host:hostport
-R remote_socket:local_socket
[…] By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

It means you should have GatewayPorts yes in the sshd_config on bluehost. Read man 5 sshd_config to learn more. Don't forget to reload the service afterwards.

Related Solutions

Why isn’t the port forwarding with thesql working on the server

Did you try using

ssh -L 33066:localhost:3306 remotemachine

Please make also sure that inside the mysql privilege system, both 127.0.0.1 and localhost are allowed sources for your database user.

Linux – Warning: remote port forwarding failed for listen port ‘xxxx’

The correct command to see who is using port 2022 is

  sudo ss -ntp

First, you should not use nestat, which is by now obsolete (if you are on Linux, as I believe you are, but if you are on Unix just forget this); second, you should run the command as sudo, otherwise you will not have the authority to display the processes using the port; third, you should definitely not use the flag u, because this means looking at UDP ports, while you are getting an error on ssh, which is most definitely using TCP, not UDP.

Best Answer

Related Solutions

Why isn’t the port forwarding with thesql working on the server

Linux – Warning: remote port forwarding failed for listen port ‘xxxx’

Related Question