SSH tunnel between 2 machines that can only ssh to a 3rd machine, but not directly to one another

Question

There are 3 machines in my setup:

M1     M2     M3

I need to open an SSH shell on M1 controlling M3.
Both M1 and M3 are behind different firewalls, and can't reach one another directly.
Both M1 and M3 can reach (and connect via ssh) to M2. But not the other way around - M2 can't reach M1 or M3.

Can I use M2 to create a tunnel from M1 to M3?

M1 --> M2 <-- M3
 \____________^

Does this help (reverse ssh tunnel might be what you're looking for)? — einfeyn496, Jul 28 '20 at 08:12
Right, you'd need to have the reverse tunnel set up from M3 to M2 (as per the answer from @Sagar), and then you could use the usual tricks of proxy jumping (albeit with the modified port for the last step) — einfeyn496, Jul 28 '20 at 08:39
Explore socks proxy. This way you will get smooth vpn like experience (better than port forwarding) — Sagar, Jul 28 '20 at 08:52

Sagar · Accepted Answer · 2020-07-28T09:02:11.467

2

from M3

ssh -R localhost:2602:localhost:22 user@M2

from M1

ssh -L localhost:2602:localhost:2602 user@M2

Now you can connect directly to M3 from M1 (here localhost actually means M3)

ssh user@localhost -p 2602

edited Jul 28 '20 at 09:02

answered Jul 28 '20 at 08:25

Sagar

438

btw you can also do the socks proxy instead of port forwarding and that will let you connect to M3 from M1 like ssh user@M3 instead of user@localhost and then exclusively mentioning port number – Sagar Jul 28 '20 at 08:27
This worked! And I didn't need the first line ("from M1") – Michael Litvin Jul 28 '20 at 08:59
Oh yeah right. Haha my bad. I forgot that. – Sagar Jul 28 '20 at 09:01

Stewart · Answer 2 · 2020-07-28T08:37:09.857

1

I use -J (I remember it as "Jump") to do this.

M1 -> M3 (via M2):

ssh -J M2 M3

scp also supports something similar:

scp --ProxyJump=M2 localfile M3:remotefile

I think it's easiest to explain with IPs:

M1 = 192.168.1.100
M2 = 192.168.1.101 & 10.10.1.200
M3 = 10.10.1.201

M1 can't access 10.10.1.x so it has to go through M2 which accesses both networks. Let's say you also have different users on each machine for extra complexity. To SSH from M1 to M3:

m1user@192.168.1.100: ~ $ ssh -J m2user@192.168.1.101 m3user@10.10.1.201

or to get remotefile from M3 onto M1:

scp --ProxyJump=m2user@192.168.1.101 m3user@10.10.1.201:remotefile localfile

edited Jul 28 '20 at 08:37

answered Jul 28 '20 at 08:32

Stewart

13,677

Does this work if M3 and M1 both block incoming connections from M2 (as per OP requirements)? The proxy jump only works if you can make the connection from the intermediary to the destination, no? – einfeyn496 Jul 28 '20 at 08:36
Ah, no. I didn't notice that. This is the same as sshing into M2, then sshing from M2 to M3. If M2 can't ssh into M3, this doesn't work. – Stewart Jul 28 '20 at 08:38

SSH tunnel between 2 machines that can only ssh to a 3rd machine, but not directly to one another

2 Answers2