SSH tunneling


Here’s what I want to do: I have a desktop in my apartment behind a NAT. I have a laptop which travels to class with me. I have a $10/month DH account. Both the laptop and the desktop are Macs. I currently use the DH account to run unison to sync a few files between the two. My goal is to be able to SSH from my laptop to my tower (presumably using my Dreamhost as an intermediary).

  1. Is this allowed? From other questions I’ve seen on here, it seems like it is.
  2. How do I do it? I’m setting up a reverse ssh from my desktop to listen on a port on my DH server, and then I’m ssh’ing to that port on DH from my laptop, but I keep getting a “connection refused” from the Dreamhost server, or if I log in normally and try to go to localhost port X, it hangs reading its own DSA public key.

Can someone help me with how to set this up? I’m not really sure where the error is.


You should ask the support folks about this, but I doubt your particular usage is intended or allowed per the rules, since what you want to do is basically keep a process running 24/7 and open a tcp port on the server in listening mode. Sporadically this shouldn’t be impossible (though I have a feeling the server’s iptables firewall might have something to say about that).

But just in case you choose to disregard that advice, here’s the steps :

ssh -g -Rportonserver:

on your tower behind the NAT

ssh from laptop
(this would assume DreamHost missed closing unauthorized ports on the server via iptables, WHICH ANY SANE ADMIN WOULD DO), or

ssh -Lauxiliarylocalport: &
(and again locally on your laptop)
ssh usernameathome@

the -g parameter in the first SSH opens up the port for external connects (other than localhost), if those are not filtered. Otherwise the socket will only listen on lo no the DH server.

This is all much indirection without any real gain. If at all possible, try to set up a port forward on your NAT to your local server and use or some such for the IP address – in that case no SSH tunneling is necessary. If you do not have administrative access to the NAT box, you could give it a XMPP client (those are easy to whip up in Perl), have it connect to your favourite XMPP/Jabber-Server waiting for commands, and just send it a “hey, connect to the laptop at ip address XXX on port YY please”-command via Jabber, and your tower will call you back through the NAT (this only really applies if you know a bit about coding, but really, a simple XMPP listening client in Perl is quite easy to create). Dreamhost offers you an XMPP server, btw :stuck_out_tongue: