4

I am trying to figure out SSH port forwarding and have not found success from looking at different questions and tutorials, it seems that everything I have seen is just a little different than my situation and I can't quite figure out how to apply it to mine.

I am running an application (A) from a Windows machine in an internal network (22.22.22.xx). This application must be hosted on this network. I also have a Linux SSH client/server (S) on a machine that has a network adapter card for the (22.22.22.xx) network as well as one for the (11.11.11.xx) network. I have an application client (C) running on Windows that has access to the SSH client but does not have access to the (22.22.22.xx) network therefore cannot access A directly. The set up is displayed below.

network setup diagram

I am trying to set up port forwarding from the SSH server so that the application client can reach the application server.

So far, I have been able to get local port forwarding working using PuTTY on the application client. I used this command (entered on PuTTY's UI):

ssh -L 8888:22.22.22.5:5555 user@11.11.11.4

From here I am able to go to localhost:8888 on 'C' and am tunneled through 'S' to reach the page being served on 'A'. However, in a perfect world, I would like to not have to open and run PuTTY on the client every time to access the page.

So, I am trying to find a way to set up remote port forwarding to forward a port, say 4444, on 'S' to 'A'. So that from 'C' I could simply go to 11.11.11.4:4444 and I am tunneled into 22.22.22.5:5555.

So far, I have tried running this on the command line in 'S': 

ssh -R 4444:22.22.22.5:5555 user@localhost -o GatewayPorts=yes

When I ran this, it looked like I ssh-ed right back into the machine, I entered the credentials and tried going to 11.11.11.4:4444 from the client and I was not directed to the server. I also tried running this command (but from PuTTY) on 'A':

ssh -R 4444:localhost:5555 user@22.22.22.4 -o GatewayPorts=yes

From this I got a 'Remote port forwarding failed' message in the PuTTY event log.

I feel like I am very close to the solution and just have something confused in my commands or I am way off and don't understand what is going on at all.

JonathanDavidArndt
  • 1,424
  • 3
  • 20
  • 29
Jtt3mr
  • 43
  • 1
  • 3

1 Answers1

2

You don't want a remote/reverse forwarding, although with the local version (your first example) there would be little difference, except it needs configuration on the server. The option GatewayPorts=yes is for the ssh server, not for the ssh client.

Try on the server S

ssh -g -L 4444:22.22.22.5:5555 user@localhost
RalfFriedl
  • 3,108
  • 4
  • 13
  • 17
  • Hm that seems like it makes sense, but when I tried it, I ssh-ed back into the server S, entered the credentials, and when I tried to connect to 11.11.11.4:4444 from the client I got a connection timeout, running 'netstat -a -n' from the server S I see: `'127.0.0.1:22 - 127.0.0.1:40800 - ESTABLISHED'`, 127.0.0.1:40800 - 127.0.0.1:22 - ESTABLISHED', and ':::4444 - ::: - LISTEN' – Jtt3mr Aug 22 '18 at 18:00
  • If you get a connection timeout and not connection refused, a firewall is blocking your connection. You could add the output from netstat to the question. – RalfFriedl Aug 22 '18 at 18:05
  • Would that be the firewall of the ssh server or of the application server? – Jtt3mr Aug 22 '18 at 18:10
  • On the SSH server, 'S'. The application server accepts connections on port 5555. – RalfFriedl Aug 22 '18 at 18:13
  • Running netstat -tuplen on the SSH server gives me: `tcp -- 0.0.0.0:4444 -- 0.0.0.0 -- LISTEN -- ssh` So that would mean that the SSH process is listening on that port and not being blocked by firewall, correct? – Jtt3mr Aug 22 '18 at 18:23
  • No, it just means the SSH process is listening on that port. It doesn't say anything about being blocked. The blocked part is inferred by your connection timeout instead of being accepted. – RalfFriedl Aug 22 '18 at 18:45
  • It turns out I typed the wrong port number in the URL.. whoops. But now that I used the correct port I am getting a '404 - Not Found' and I am seeing the connection established between the client and the server port 4444. – Jtt3mr Aug 22 '18 at 18:52
  • If it worked before, when you used forwarding from C to S and connected to 127.0.0.1, the application server may evaluate the HTTP host header. If the application server has an assigned name, you may try to add that name to your hosts file with the address of server S and try to connect to the host name. – RalfFriedl Aug 22 '18 at 19:22
  • So after a lot of digging and trying different things, I found that the nginx reverse proxy that was running on the same linux node as the ssh server was doing something that prevented the port 4444 from being forwarded on to the application server. So I stopped the nginx service and tried it again and it worked! Thanks for all the help! – Jtt3mr Aug 23 '18 at 18:35