[GLLUG] ssh local port forwarding remote interface binding.

Tim Woodall t at woodall.me.uk
Thu Jan 14 12:52:16 UTC 2021

Sent this from the wrong email address and I guess it got filtered out.
Apologies if it's a duplicate.

On Thu, 14 Jan 2021, James Courtier-Dutton wrote:

> On Thu, 14 Jan 2021 at 07:30, Tim Woodall via GLLUG
> <gllug at mailman.lug.org.uk> wrote:
>> Hi all,
>> In
>> ssh -N -L 8080:webserver:80 gateway
>> Is there any way to specify which interface should be bound on gateway
>> other than by changing the routing table on gateway?
>> Google isn't helping much as everything is talking about bind address
>> that the forwarded connection _listens_ on and I don't care about that,
> Hi,
> Lets have:
> A = the client PC you are ssh from.
> B = gateway
> C = webserver.
> The above will open a port 8080 on A, listening on
> When you connect to port 8080 on A, the session is tunnelled through
> the ssh port 22 session.
> B then opens a tcp session from B:anyport -> C:80
> Does this help answer your question?

Unfortuantely not, here's the problem:

tim at B $ telnet C 80
Trying C...
Connection timed out
telnet: connect to address C: Connection timed out

tim at B $ telnet -b bind_ip1 C 80
Trying C...
Connected to C.
Escape character is '^]'

tim at B $ telnet -b bind_ip2 C 80
Trying C...
Connected to C.
Escape character is '^]'

I can change the routing table so that a working interface is chosen
except that I actually have multiple possible routes so I want to be
able to chose the interface at the point of setting up the forwarding
depending on which core ssh will be bound to. Part of the reason for
requiring the interface to be chosen is to avoid mindlessly depending on
the one configured in the kernel rather than thinking about which
interface to use.

I cannot see any way to specify bind_ip to ssh. Everything I can find
talks about -L <bind_ip>:8080:C:80 - but that's not my problem, it's the
binding on the B->C hop that I need to configure.

At the moment I'm running a socat on B. So I have (approx)
ssh -L 8080:localhost:8080 'socat TCP-LISTEN:8080 TCP:C:80,bind=bind_ip1' B

but apart from running an extra process on B, I need to pick an unused
port for the localhost hop - so I cannot run an identical command from
two different source machines.

I'm hoping there's some magic I can put in .ssh/config (on either/both
of A and B) to make this work without the socat (or a commandline option
although I've pored though the man page and I don't think there's


More information about the GLLUG mailing list