I have tunneled mixed linux and windows clients to a 'within-firewall client' (that could access the share's host) before, so I know that that, at least, is possible.

But what about tunneling directly from the client to the host of the network share?

Can I have samba listen on port, say, 5559 (just an example), and only accept connections from localhost, and tunnel a client's 5559 to that host - so that the client appears to be connecting from host's localhost? I can't figure out how to set it up. So far, I have samba configured:

hosts allow = 127.0.0.1 ::1 lo
interfaces = lo 127.0.0.1
bind interfaces only = yes

And I'm tunneling from the host:

ssh -R 5559:localhost:5559 shrusr@shrhost -Nf

However, if samba is already running, than TCP forwarding fails. If the tunnel is already running, than samba cannot start. Is what I'm trying to accomplish possible? Is there some other way to do it?

It seems like it should work - I can even netcat myself files across that ssh tunnel. So, netcat has no problem listening to the same port as ssh. Only smbd refuses, and also blocks ssh from that port if started first.

Any advice would be appreciated.