Bind SSH client to two different host addresses

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















I have this port forwarding solution for testing purposes. There is a distant server named box and a local machine named tower, on two separate networks. box is accessible through the internet.



On tower, I run the following command:



ssh -R 80:localhost:80 box.sleblanc


This connects to box and setups a socket on port 80 that will access a web service on tower, port 80. When a connection is established with box:80, I find that it appears to the web service in the logs as coming from 127.0.0.1. I find this annoying as I cannot reliably distinguish between the connections that are legitimately from my localhost as opposed to those that come from via the proxy.



By setting the BindAddress option to something different (e.g. 192.168.0.100) the connections to the proxy actually show up as that address instead, which solves my problem, but it forces my service to run on a network address other than localhost.



I found that running curl --interface 127.0.0.2 localhost:80 will produce requests from the IP address 127.0.0.2, which fulfills my requirement of being able to distinguish between legitimately local requests versus proxied requests, however, when setting BindAddress to 127.0.0.2, SSH can no longer reach box, as the 127.0.0.0/8 network is not routeable.



Ultimately, my question is: how can I bind the SSH client to multiple different addresses, so that the client can connect to an Internet host while the remote port redirection will come from an unrouteable address other than 127.0.0.1? That is, strictly bind connections to the remote forwarded port to the local address 127.0.0.2?




Toying with socat, I discovered this solution:



% socat TCP4-Listen:1234,fork TCP:127.0.0.1:80,bind=127.0.0.2 &
% ssh -R 80:127.0.0.1:1234 box.sleblanc


This sets up a socket on that listens to incoming connections on port 1234 and forwards them to 127.0.0.1:80 by binding to the local address 127.0.0.2. It works exactly as intended, but I am wondering if there is a way to streamline this into the SSH command.










share|improve this question






















  • You would need ssh to bind on a specified interface when creating the local sockets for -R, but I see no way to specify this in man ssh. So if you want to do this with ssh only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.

    – dirkt
    Mar 16 at 19:47











  • On a Linux system, this hack (on tower) will "fix" ssh: iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2

    – A.B
    Mar 16 at 22:49












  • @A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?

    – sleblanc
    Mar 16 at 23:39











  • yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS

    – A.B
    Mar 16 at 23:41











  • GNU plus Linux.

    – sleblanc
    Mar 17 at 2:25

















0















I have this port forwarding solution for testing purposes. There is a distant server named box and a local machine named tower, on two separate networks. box is accessible through the internet.



On tower, I run the following command:



ssh -R 80:localhost:80 box.sleblanc


This connects to box and setups a socket on port 80 that will access a web service on tower, port 80. When a connection is established with box:80, I find that it appears to the web service in the logs as coming from 127.0.0.1. I find this annoying as I cannot reliably distinguish between the connections that are legitimately from my localhost as opposed to those that come from via the proxy.



By setting the BindAddress option to something different (e.g. 192.168.0.100) the connections to the proxy actually show up as that address instead, which solves my problem, but it forces my service to run on a network address other than localhost.



I found that running curl --interface 127.0.0.2 localhost:80 will produce requests from the IP address 127.0.0.2, which fulfills my requirement of being able to distinguish between legitimately local requests versus proxied requests, however, when setting BindAddress to 127.0.0.2, SSH can no longer reach box, as the 127.0.0.0/8 network is not routeable.



Ultimately, my question is: how can I bind the SSH client to multiple different addresses, so that the client can connect to an Internet host while the remote port redirection will come from an unrouteable address other than 127.0.0.1? That is, strictly bind connections to the remote forwarded port to the local address 127.0.0.2?




Toying with socat, I discovered this solution:



% socat TCP4-Listen:1234,fork TCP:127.0.0.1:80,bind=127.0.0.2 &
% ssh -R 80:127.0.0.1:1234 box.sleblanc


This sets up a socket on that listens to incoming connections on port 1234 and forwards them to 127.0.0.1:80 by binding to the local address 127.0.0.2. It works exactly as intended, but I am wondering if there is a way to streamline this into the SSH command.










share|improve this question






















  • You would need ssh to bind on a specified interface when creating the local sockets for -R, but I see no way to specify this in man ssh. So if you want to do this with ssh only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.

    – dirkt
    Mar 16 at 19:47











  • On a Linux system, this hack (on tower) will "fix" ssh: iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2

    – A.B
    Mar 16 at 22:49












  • @A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?

    – sleblanc
    Mar 16 at 23:39











  • yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS

    – A.B
    Mar 16 at 23:41











  • GNU plus Linux.

    – sleblanc
    Mar 17 at 2:25













0












0








0








I have this port forwarding solution for testing purposes. There is a distant server named box and a local machine named tower, on two separate networks. box is accessible through the internet.



On tower, I run the following command:



ssh -R 80:localhost:80 box.sleblanc


This connects to box and setups a socket on port 80 that will access a web service on tower, port 80. When a connection is established with box:80, I find that it appears to the web service in the logs as coming from 127.0.0.1. I find this annoying as I cannot reliably distinguish between the connections that are legitimately from my localhost as opposed to those that come from via the proxy.



By setting the BindAddress option to something different (e.g. 192.168.0.100) the connections to the proxy actually show up as that address instead, which solves my problem, but it forces my service to run on a network address other than localhost.



I found that running curl --interface 127.0.0.2 localhost:80 will produce requests from the IP address 127.0.0.2, which fulfills my requirement of being able to distinguish between legitimately local requests versus proxied requests, however, when setting BindAddress to 127.0.0.2, SSH can no longer reach box, as the 127.0.0.0/8 network is not routeable.



Ultimately, my question is: how can I bind the SSH client to multiple different addresses, so that the client can connect to an Internet host while the remote port redirection will come from an unrouteable address other than 127.0.0.1? That is, strictly bind connections to the remote forwarded port to the local address 127.0.0.2?




Toying with socat, I discovered this solution:



% socat TCP4-Listen:1234,fork TCP:127.0.0.1:80,bind=127.0.0.2 &
% ssh -R 80:127.0.0.1:1234 box.sleblanc


This sets up a socket on that listens to incoming connections on port 1234 and forwards them to 127.0.0.1:80 by binding to the local address 127.0.0.2. It works exactly as intended, but I am wondering if there is a way to streamline this into the SSH command.










share|improve this question














I have this port forwarding solution for testing purposes. There is a distant server named box and a local machine named tower, on two separate networks. box is accessible through the internet.



On tower, I run the following command:



ssh -R 80:localhost:80 box.sleblanc


This connects to box and setups a socket on port 80 that will access a web service on tower, port 80. When a connection is established with box:80, I find that it appears to the web service in the logs as coming from 127.0.0.1. I find this annoying as I cannot reliably distinguish between the connections that are legitimately from my localhost as opposed to those that come from via the proxy.



By setting the BindAddress option to something different (e.g. 192.168.0.100) the connections to the proxy actually show up as that address instead, which solves my problem, but it forces my service to run on a network address other than localhost.



I found that running curl --interface 127.0.0.2 localhost:80 will produce requests from the IP address 127.0.0.2, which fulfills my requirement of being able to distinguish between legitimately local requests versus proxied requests, however, when setting BindAddress to 127.0.0.2, SSH can no longer reach box, as the 127.0.0.0/8 network is not routeable.



Ultimately, my question is: how can I bind the SSH client to multiple different addresses, so that the client can connect to an Internet host while the remote port redirection will come from an unrouteable address other than 127.0.0.1? That is, strictly bind connections to the remote forwarded port to the local address 127.0.0.2?




Toying with socat, I discovered this solution:



% socat TCP4-Listen:1234,fork TCP:127.0.0.1:80,bind=127.0.0.2 &
% ssh -R 80:127.0.0.1:1234 box.sleblanc


This sets up a socket on that listens to incoming connections on port 1234 and forwards them to 127.0.0.1:80 by binding to the local address 127.0.0.2. It works exactly as intended, but I am wondering if there is a way to streamline this into the SSH command.







ssh networking port-forwarding






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 16 at 19:11









sleblancsleblanc

872914




872914












  • You would need ssh to bind on a specified interface when creating the local sockets for -R, but I see no way to specify this in man ssh. So if you want to do this with ssh only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.

    – dirkt
    Mar 16 at 19:47











  • On a Linux system, this hack (on tower) will "fix" ssh: iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2

    – A.B
    Mar 16 at 22:49












  • @A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?

    – sleblanc
    Mar 16 at 23:39











  • yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS

    – A.B
    Mar 16 at 23:41











  • GNU plus Linux.

    – sleblanc
    Mar 17 at 2:25

















  • You would need ssh to bind on a specified interface when creating the local sockets for -R, but I see no way to specify this in man ssh. So if you want to do this with ssh only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.

    – dirkt
    Mar 16 at 19:47











  • On a Linux system, this hack (on tower) will "fix" ssh: iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2

    – A.B
    Mar 16 at 22:49












  • @A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?

    – sleblanc
    Mar 16 at 23:39











  • yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS

    – A.B
    Mar 16 at 23:41











  • GNU plus Linux.

    – sleblanc
    Mar 17 at 2:25
















You would need ssh to bind on a specified interface when creating the local sockets for -R, but I see no way to specify this in man ssh. So if you want to do this with ssh only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.

– dirkt
Mar 16 at 19:47





You would need ssh to bind on a specified interface when creating the local sockets for -R, but I see no way to specify this in man ssh. So if you want to do this with ssh only, you'll likely have to modify the code to provide this option (and submit a patch). You can also connect the remote box to your local box with a different kind of tunnel which preserves IP addresses.

– dirkt
Mar 16 at 19:47













On a Linux system, this hack (on tower) will "fix" ssh: iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2

– A.B
Mar 16 at 22:49






On a Linux system, this hack (on tower) will "fix" ssh: iptables -t nat -I POSTROUTING -s 127.0.0.1 -d 127.0.0.2 -j SNAT --to-source 127.0.0.2

– A.B
Mar 16 at 22:49














@A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?

– sleblanc
Mar 16 at 23:39





@A.B, interesting. This rewrites packets addressed to 127.0.0.2 so that they show up as coming from 127.0.0.2 instead of 127.0.0.1, is that so?

– sleblanc
Mar 16 at 23:39













yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS

– A.B
Mar 16 at 23:41





yes. even tested it (using.. socat with -d -d of course) before commenting. But your question doesn't specify the OS

– A.B
Mar 16 at 23:41













GNU plus Linux.

– sleblanc
Mar 17 at 2:25





GNU plus Linux.

– sleblanc
Mar 17 at 2:25










0






active

oldest

votes












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506715%2fbind-ssh-client-to-two-different-host-addresses%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506715%2fbind-ssh-client-to-two-different-host-addresses%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?