Forward SSH from some port to some other machine

[starbuck]

I have a Mac OS X Server running as a gateway/proxy for several machines behind it. I would like to be able to do this:

Code:

ssh user@gateway -p 2205

...and get forwarded to some other machine (behind the gateway/proxy) at user@10.0.0.105:22 or whatever. How can I do this?

I did some digging on google and it looks like I need to use the -L flag with the ssh command on the gateway machine. Wasn't really working for me though. Any suggestions?

Essentially I want to give a user ssh access to a machine behind the gateway.

[vermaden]

short:
# ssh -D 4567 -l user 10.0.0.105

long:
From gateway machine run that command to the box that you want to be visible outside at 4567 port. After that if you will ssh to gateway:4567 you will be really connecting to 10.0.0.105:22.

[starbuck]

Quote:

Originally Posted by vermaden

short:
# ssh -D 4567 -l user 10.0.0.105

long:
From gateway machine run that command to the box that you want to be visible outside at 4567 port. After that if you will ssh to gateway:4567 you will be really connecting to 10.0.0.105:22.

Thanks I'll give that a whirl!

[starbuck]

Quote:

Originally Posted by vermaden

short:
# ssh -D 4567 -l user 10.0.0.105

long:
From gateway machine run that command to the box that you want to be visible outside at 4567 port. After that if you will ssh to gateway:4567 you will be really connecting to 10.0.0.105:22.

I did what you said and now when I try to ssh to the gateway machine on that port I get this error:

Code:

$ ssh gateway:2205
ssh: gateway:2205: Name or service not known

[anomie]

You'll want to use the same syntax you did in your first post.

[vermaden]

Quote:

Originally Posted by starbuck

Code:

$ ssh gateway:2205

use that syntax:

Code:

$ ssh gateway -p 2205

[starbuck]

Quote:

Originally Posted by anomie

You'll want to use the same syntax you did in your first post.

Wow, I'm totally not with it today. Ok, so now I'm getting a "Connection refused" error. I have a feeling that the firewall is blocking port 2205. I spent some time fiddling with the Mac OS X Server firewall but had no luck. Any ideas?

Also, will this solution be persistent?

[vermaden]

If you want to make this permanent and you are alread using a firewall then it would be better to just user firewall for that port forwarding.

[starbuck]

Quote:

Originally Posted by vermaden

If you want to make this permanent and you are alread using a firewall then it would be better to just user firewall for that port forwarding.

Hrm... Ok, I fiddled with that a bit already, but didn't have any luck. I guess I'll be diving into the documentation for the OS X firewall. Thanks for all your help everyone.

[robbak]

$ ssh user@gateway -p 2205 -L 8080:10.0.0.61:80

That will open port 8080 on your local machine, and forward any packets that hit it to port 80 on machine 10.0.0.61 on the remote network. (My man page specifies a capital L). Specify localhost (127.0.0.1) if you want the remote server itself to receive the packets.

-R does the same thing in reverse: Opens the port on the remote end and forwards packets back to your network.

[starbuck]

Finally found a solution, Apple doesn't make this easy...

In order to do this you'll need to edit the natd.plist file on your Mac OS X Server machine. It is located at:

Code:

/etc/nat/natd.plist

This is an XML file. You'll want to add the following code block just before the closing array and dict tags.

Code:

     <key>redirect_port</key>
        <array>
                <dict>
                        <key>aliasIP</key>
                        <string>INCOMING IP</string>
                        <key>aliasPortRange</key>
                        <string>INCOMING PORT</string>
                        <key>proto</key>
                        <string>tcp</string>
                        <key>targetIP</key>
                        <string>OUTGOING IP</string>
                        <key>targetPortRange</key>
                        <string>OUTGOING PORT</string>
                </dict>
                <dict>
                        <key>aliasIP</key>
                        <string>INCOMING IP</string>
                        <key>aliasPortRange</key>
                        <string>INCOMING PORT</string>
                        <key>proto</key>
                        <string>tcp</string>
                        <key>targetIP</key>
                        <string>OUTGOING IP</string>
                        <key>targetPortRange</key>
                        <string>OUTGOING PORT</string>
                </dict>
        </array>

You'll only want to change the string blocks, do not change anything within a key block.

Add as many dict blocks as you need to accommodate your redirect rules. After you have made the necessary changes simply restart NAT and voila, you're done!

Additional info:

Apple
CyBeRHQ.nl