How to get reverse tunnel IP

Question

I created reverse tunnel from Server to Endpoint using command:

ssh -R 127.0.0.1:4000:localhost:81 user@server.domain

Tunnel was created on Endpoint side and it leads from Server port 4000 to Endpoint port 81. There is a service listening on this port but this is not important. I did it so because Endpoint is behind NAT and I needed to get access to it from outside.

I wonder if I can get the IP of the Endpoint on the Server side. There was a similar question:

How to find the IP of the source of an SSH reverse tunnel?

but my case is specific. I don't want to manually enter commands because there will be many reverse tunnels to the Server and I can use only the port which Endpoint is bound to.

In other words: how to get tunnel IP of the Endpoint side using only the port 4000 on the Server side? I'm not able to find any correlation between the port 4000 on Server with established SSH connection for tunnel purposes.

netstat -plant (on the Server) shows:

tcp        0      0 127.0.0.1:4000          0.0.0.0:*               LISTEN      30307/sshd: user
tcp        0      0 8.8.8.8:22              1.2.3.4:44874           ESTABLISHED 12531/sshd: user
tcp        0      0 8.8.8.8:22              15.16.17.18:44258       ESTABLISHED 30203/sshd: user
tcp        0      0 8.8.8.8:22              22.22.22.22:46696       ESTABLISHED 15639/sshd: user

As you can see there is a service listening on port 4000 (this port is forwarded to Endpoint port 81 - which is not visible here) and three ssh connections. One of them serves the tunnel. But I don't know which one. 8.8.8.8 is the IP of the Server.

Answer 1

Taking the process id of ssh from the netstat,

lsof -p $pid -a -d 3

will show IP of other end of the connection. As ssh can be hopped, this might not be the final location.