Reverse/Forward SSH

Reverse/Forward SSH allow to bind a port on a host reachable by the local host to a port on the remote host, or to bind a port on a host reachable by the remote host on the local host. All communication done on one side will automatically reach the other side, through a SSH encrypted tunnel.

Note: only superuser can forward privileged ports.

Common options

With these command some ssh options are commonly used:

• -T: do no create a pseudo-tty. We only need a tunnel, so this will save resources.
• -N: do not execute a remote command. We only need a tunnel, so this will save resources.
• -f: background the ssh process after tunnel creation. So we get back the tty after.

Reverse ssh

Bind remote port to a local-side host and port. When a connection is made on the remote port, it is forwarded to the local host, and then the local host will made the connection to the local-side host.

ssh -TNf -R [{bind address}:]{remote port}:{local-side host}:{port on local-side host} username@{remote machine}

• {bind address}: optional address on which to listen on the remote host. Defaults to 127.0.0.1.
• {remote port}: the port on which to listen on the remote host
• {local-side host}:{port on local-side host}: The host and port to which the connection will be forwarded.
• {remote machine}: the remote host.

Forward ssh

Bind local port to a remote-side host and port. When a connection is made on the local port, it is forwarded to the remote host, and then the remote host will made the connection to the remote-side host.

ssh -TNf -L [{bind address}:]{local port}:{remote-side host}:{port on remote-side host} username@{remote machine}

• {bind address}: optional address on which to listen on the local host. Defaults to 127.0.0.1.
• {local port}: the port on which to listen on the local host
• {remote-side host}:{port on remote-side host}: The host and port to which the connection will be forwarded.
• {remote machine}: the remote host.

SOCKS proxy

The ssh client can act locally as a SOCKS http proxy (the most common protocol used for http proxies).

ssh -TNf -D [{bind address}:]{local port} {username}@{remote machine}

• {bind address}: optional address on which to listen on the local host.
• {local port}: the port on which to listen on the local host.
• {username}@{remote machine}: the usual username/host pair for a ssh connection.

Keep connection open: autossh

After a while, ssh connections close automatically. This can be extended by setting certain properties on the server, but it will eventually happen. To keep a tunnel alive, you can use autossh. It will launch a ssh process, and restart it when it dies.

• Set up a ssh key for automatic connection.
• apt install autossh on the machine that will start the communication.
• Launch a ssh command replacing ssh by autossh. Only difference: the -f flag must be specified before the other and separately. This is because autossh will handle it instead of the ssh process.

Listen on other address than 127.0.0.1

By default the socket created to listen for incoming connection (both in forward and reverse mode) is bound to 127.0.0.1 as a security measure. If you want to bind to a different address (e.g. '*'), you need to:

• Edit /etc/ssh/sshd_config on the host you want to allow the binding:
  • Set GatewayPorts yes