If the host machine is running SSH server software as well and is accessible from the Internet, you could use the command ssh -L 22065:127.0.0.1:22 user@192.168.122.65
. The -L
option is used in the following way:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a con‐
nection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be spec‐
ified by enclosing the address in square brackets. Only the
superuser can forward privileged ports. By default, the local
port is bound in accordance with the GatewayPorts setting. How‐
ever, an explicit bind_address may be used to bind the connection
to a specific address. The bind_address of “localhost” indicates
that the listening port be bound for local use only, while an
empty address or ‘*’ indicates that the port should be available
from all interfaces.
Let's say the host's IP address is 10.0.0.5. From a system on the Internet, you could establish a connection to port 22065 on the host with the command ssh -p 22065 user@10.0.0.5
. Note: you need to provide a valid userid and password for the guest system even though you are using the host's public IP address (I'm using an address from the private IP address range 10.x.x.x just for purposes of the example), since the connectivty will actually be tunneled to the guest.
When the connection to port 22065 on the host is made, it is forwarded through the SSH tunnel established by your first SSH connection from the host to the guest system at 192.168.122.65. As far as an SSH client on the Internet is concerned, it is going directly to the guest system on port 22065, though it is actually connecting to port 22 on that system via the SSH tunnel from the 10.0.0.5 host. Note: for this to work, the SSH connection from the host to the guest system must be up at the time.
Where I placed 127.0.0.1
you could have also put 192.168.122.65
, but since the connection is to the localhost address, i.e., the guest itself, rather than some system external to it, I would use 127.0.0.1
For the firewall rules that are needed, you need to have a rule on the host and any firewalls between it and the Internet that allows incoming TCP connections to port 22065, or whatever port you select, instead. You won't need any additional firewall rules on the guest system.
Thanks for the nice answer! I can set up an SSH tunnel, but I really wanted to forward a port, because later I'll want to do the same for a HTTP server. – Aron Lorincz – 2015-08-18T11:09:04.067
I've added my observation to the question – Aron Lorincz – 2015-08-18T11:11:44.933