Forward access to website behind firewall using SSH tunneling

Question

I found similar scenario in this topic but it refers to ssh, and I need to forward access to webserver.

How it looks like right now:

[ private server ] - behind router and firewall, access via public ip unavailable

[ middle server ] - public ip, ports open

[ user ] - connecting via web browser to middle server, want's to get website from private server

What I've already done:

ssh -N -R 8888:localhost:80 root@[middle server ip]

Now I can access private server from middle server eg. via:

curl http://localhost:8888

So the tunnel is working ok.

The problem is, when I (as user) enter [middle server ip]:8888, all I receive is ERR_CONNECTION_REFUSED

What am I missing? Some kind of port redirection? Any help would be appreciated!

Answer 1

This behavior is controlled by option GatewayPorts (off by default). From manual page for ssh_config:

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be “no” to force remote port forwardings to be available to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the address to which the forwarding is bound. The default is “no”.

You need to put also

GatewayPorts yes

to your sshd_config, and specify the local address explicitly:

ssh -N -R [middle server ip]:8888:localhost:80 root@[middle server ip]

or

ssh -N -R *:8888:localhost:80 root@[middle server ip]