Finding a way to port forward a port-binding application via SOCKS

Question

I'm running a program that binds a specific port on a host computer (running Windows 10) behind a firewall, and I don't have permission to port forward directly through my network. Instead, I'm trying to forward this connection through an external server (running Debian) via a SOCKS tunnel in order to make it publicly accessible.

The issue I'm running into is that the SSH command I'm using binds the port locally, rendering the program unable to properly bind the port itself and correctly start. (Changing the program isn't an option; it has to bind.)

I'm using the following command via SSH to set up a SOCKS tunnel:

ssh -vg -D 8123 meself@[external IP]

I've validated that this tunnel works using the following curl, which dumps Google's index page:

curl --socks5 127.0.0.1:8123 http://www.google.com/

Additionally, netstat also shows that the connection is live:

netstat -t | grep "[external IP]"

TCP    [internal IP]   [external IP]:ssh    ESTABLISHED     InHost

I've tried using FreeCap to capture the traffic from the program on the host, and force it to redirect through SOCKS, but this doesn't seem to be working. FreeCap indicates that the proxy is functional, but the program still tries to locally bind port 8123.

It's also worth noting that the program is written in Java. The command I'm using to execute the program on the host is:

java -DsocksProxyHost=127.0.0.1 -DsocksProxyPort=8123 -jar [program .jar]

Under the above conditions, this spits out an error that port 8123 is already bound.

My ultimate goal is to make it seem as though the program running on my host computer is directly accessible from the external server, such that when clients connect to the server, they believe they're connected directly to the program on the host computer, and the program on the host computer believes it's connected directly to the clients.

Where do I go from here? Can this be done without introducing a VPN?

^{(Note: I have permission to bypass the firewall in this way.) (Also note: I've picked 8123 as an example port only.)}

Answer 1

If I understand you problem right you want to run a program (server) on machine 1. This program listens on port x that can't be accessed from remote because of some firewall rules. Now you want to bypass the firewall by a ssh tunnel to machine 2 in a way that remote clients can connect to a port y on machine 2 that is forwarded to port x on machine 1.

To archive this you need a listening socket on machine 2 at port y that forwards all connections to machine 1 and port x.

To do this with ssh and its tunnelling/SOCKS proxy feature you can either start a ssh connection with the -L option from machine 2 to machine 1:

machine2# ssh -L portY:localhost:portyX user@machine1

or the other way around with the -R option from machine 1 to machine 2 (make sure GatewayPorts is enabled on machine2):

machine1# ssh -R machine2:portY:localhost:portyX user@machine2

Of course, port x and port y can also be the same. I just differenciated them to make it more clear.

See ssh manual page for details: https://linux.die.net/man/1/ssh