SSH Hacks : Bypassing NAT with client to client SSH connections

Posted: December 19, 2011 in Guides
Tags: , ,

Okay, well I know it’s been entirely too long since I’ve written anything here, and for those of you who know me personally you know I’ve had a very hectic schedule of late. Sorry for the delay in posting, also the Ubuntu 12.04 LTS desktop and server security guides have been delayed. I’m hoping to have at least one of them up after the holidays, but no promises.

So to tithe you over for a little bit, and to get a new post up here, I’m going to discuss something that a lot of people ask about on Ubuntu Forums. It is against Ubuntu forums policy to instruct people how to bypass the security of a network they do not own. This however, is my personal blog and I will instruct whatever I want ๐Ÿ˜› That being said, if you do this at work and get fired it’s your fault, most sysadmins will frown on this, and yes they will catch you.

This is not really a new trick, but it will bypass NAT and allow you to have an always on SSH connection to an endpoint behind a NAT router (with no ports forwarded).

This requires three systems. The endpoint (which is behind the firewall), the middleman, which is a machine you control somewhere on the internet, and the machine you want to ssh from (presumably your home machine or another system that you control).

Note : For the purposes of this guide the following IP’s are used as a point of reference.

Middleman :
Endpoint Behind Firewall :
Machine that you’re SSH’ing from :

So here we go.

Setting up the Middle Man

First things first, we need to install to install an openssh-server on our middleman and configure it as a gateway.

Note : This is done on Ubuntu, change commands appropriately for your operating environment.

sudo apt-get install openssh-server

Now we want to edit /etc/ssh/sshd_config and add the following lines.

GatewayPorts Yes
TCPKeepAlive Yes

This will keep our connections alive and allow us to tunnel through this system.

Creating a Reverse Connection From the Endpoint

Now on the endpoint machine (the one behind the firewall) we will create a reverse connection to our middleman server. This will bypass our firewall. We can automate this process by creating a cron job. However, if we do this we must use passwordless login with keys. I’m lazy so I didn’t generate keys here.

ssh -R 31337:localhost:22 dangertux@

What this does is create a reverse connection and tunnel to

Connect From Your Machine

Now we connect to the middleman server from our machine.

ssh -p 31337 dangertux@

Note: the password you are prompted for will be the password of the user on the machine behind the firewall.

There you go, an always on SSH client โ€“ client connection that bypasses NAT routing. Again, a friendly warning, a sysop will not take DT told me to as an excuse, besides I didn’t tell you to, I told you how ๐Ÿ˜‰

  1. Carlos says:

    Excellent post as always Adam. I cant wait to see your Ubuntu 12.04 deskto/server guide. Btw, would you be interested in doing a guide on subnetting a network for security purpose?


    • dangertux says:

      I really should… Especially as it would tie in with this very well. I’ll definitely keep it in the list of topics I want to write about. However — as I stated I have a pretty hectic schedule lately, so I may not get around to it until well after the New Year.

      Thanks for the idea Carlos

      • Carlos says:

        I will be patiently waiting :). Merry Chrismas and thank you for your wonderfull tutorial. Hope you and your family have a blessed day and see many more.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s