I have a server in my home network (cannot port forward) and a VPS on the WAN. I need requests on a certain port, to, not from, the VPS to be forwarded to my home server. I have an SSH tunnel which works fine if I send the request to localhost
on VPS. However I want requests forwarded to VPS's localhost
from internet be sent to my home server through the tunnel. And it needs to be bi-directional.
I have seen this question, however it doesn't work for me. It is quite possible that I did something incorrectly.
My exact procedure:
On server a
, my home server, I ran this command to set up the tunnel:
ssh -v -N -R 2222:localhost:22 root@server-b.com
I ran the following command on server b
(VPS):
iptables -t nat -A PREROUTING -p tcp --dport 2223 -j DNAT --to-destination 127.0.0.1:2222
And tried to ssh
from another machine:
ssh root@server-b.com -p 2223
I set GatewayPorts yes
in sshd_config
however I am still finding the same problem:
ssh: connect to host server-b.com port 2223: Connection refused.
Best Answer
Set
GatewayPorts yes
andAllowTcpForwarding yes
insshd_config
on serverb
. WithGatewayPorts clientspecified
explicitly mention IP0.0.0.0
or*
on servera
to create reverse tunnel. So that sshd on serverb
accepts connections from public too:Otherwise sshd listens on loopback interface only as is the case with
GatewayPorts no
.Now
ssh
from another machine to port2222
:You'll be logged in to server
a
after authentication.No need to set up
iptables
forwarding. Btw, avoid userroot
for remote logins, if possible.If you don't want to set
GatewayPorts
option, then you need to forward traffic from some other port, say2223
, tolocalhost:2222
.This can be done with
iptables
on serverb
:*
REDIRECT
works only for same interfaceBut routing to
loopback
interface isn't allowed unless:Now
ssh
from another machine to port2223
:Another option is to setup some minimal local forwarding server from port
2223
to2222
using tools likessh
,socat
,netcat
,*inetd
etc.On server
b
, withsocat
:Or with
netcat
:Or with
ssh
:Any of the above can be combined with reverse tunnel to do a double forwarding from server
a
in a single step: