Introduction
This procedure describes how to SSH into a machine that is hidden behind a masquerader (e.g. into a Linux box on a home LAN connected to another Linux box that has a PPP connection onto the internet or into a Linux box on a home LAN connected to a WLAN router/modem/firewall that has a DSL connection onto the internet) when there exists no specific routing to facilitate this (e.g. iptables configuration or designated DMZ host, respectively).
Procedure
- Designate:
<hidden-host> is the hidden machine into which you want to SSH (this is probably your home PC, maybe behind a WLAN router/modem/firewall on which you do not have root access)
<funnel-host> is a directly reachable machine which can be made to listen on a high-numbered port <funnel-port> (this is some other machine where you have an account)
if <funnel-host>:<funnel-port> is firewalled but <funnel-machine>:22 is open then <funnel2-host> is another machine which can be made to listen on high-numberered port <funnel2-port> and which can directly reach <funnel-host>
From <hidden-host>, run the commands:
# tunnel <funnel-host>:<funnel-port> --> <hidden-host>:22 ssh -gfNnR <funnel-port>:localhost:22 <funnel-host>
If <funnel-host>:<funnel-port> is not firewalled then you do not need to complete the rest of this procedure; you can SSH into <hidden-host> with:
ssh -p <funnel-port> <funnel-host>
(If <funnel-host>:<funnel-port> is firewalled then you run the tunnelling ssh command without the '-g' option.)
From <funnel2-host> run:
# tunnel <funnel2-host>:<funnel2-port> --> <funnel-host>:<funnel-port> ssh -gfNnL <funnel2-port>:localhost:<funnel-port> <funnel2-host>
You can now SSH into <hidden-host> with:
ssh -p <funnel2-port> <funnel2-host>
- There is no reason to access only port 22; change from port number 22 to 80 and change the client you use to enter the tunnel from ssh to a web browser!