Remote port forwarding inside Docker containers

I'm trying to setup a docker container that I use to bypass firewalls/NAT's to allow SSH access to the computers behind these routing barriers. In essence, I have an SSH service listening inside of a docker container, that my other computers connect to, opening a reverse-SSH port forwarding, and then if I want to connect to a computer behind a firewall, I instead connect to my dockerized proxy server on the reverse port. Example:

Firewalled computer "Bob" connects to proxy server:

ssh -R 2024:localhost:22 -N remote.server

Next, I connect to the remote server on port 2024 so as to follow the tunnel back down and connect to localhost:22 on bob:

ssh -p 2024 remote.server

This all works great when it's not dockerized, however when I tried to move this to a dockerized service, I found that my sshd server within the docker container stubbornly refuses to open remote port forwards. Connecting with ssh -vvv in the first step above gives:

debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 4
debug1: Remote: Server has disabled port forwarding.
debug3: receive packet: type 82
debug1: remote forward failure for: listen 2024, connect localhost:22
Warning: remote port forwarding failed for listen port 2024
debug1: All remote forwarding requests processed

Which sounds a lot like my sshd isn't setup to allow remote port forwarding. However, my sshd_config seems to think it is:

# tail /etc/ssh/sshd_config -n 5
GatewayPorts yes
AllowTcpForwarding yes
AllowStreamLocalForwarding yes
PermitTunnel yes
UsePrivilegeSeparation no

Indeed, running with ssh -ddd inside the docker container, then connecting with the line above shows first:

debug3: /etc/ssh/sshd_config:91 setting GatewayPorts yes
debug3: /etc/ssh/sshd_config:92 setting AllowTcpForwarding yes
debug3: /etc/ssh/sshd_config:93 setting AllowStreamLocalForwarding yes
debug3: /etc/ssh/sshd_config:94 setting PermitTunnel yes
debug3: /etc/ssh/sshd_config:95 setting UsePrivilegeSeparation no

Followed by:

debug1: server_input_global_request: rtype tcpip-forward want_reply 1
debug1: server_input_global_request: tcpip-forward listen localhost port 2024
debug1: server_input_global_request: rtype want_reply 0

So clearly my configuration is being set correctly, but it seems that the client still thinks the server cannot do port forwarding. How can I convince the openssh server to perform remote forwarding? What could cause this failure?

The client is running OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, the server is running OpenSSH_6.7p1 Debian-5+deb8u4, the docker version is 17.09.1-ce on Amazon Linux 2017.09.


Aha! I figured it out. This was because docker was creating an ipv6 internal network for my containers, and my kernel did not have ipv6 forwarding enabled. So when running sshd outside of the container, it would work over ipv4, but when running sshd inside of the container on the docker bridge network, it would listen on ipv6 and be unable to open port forwards.

Once I enabled ipv6 forwarding, (adding net.ipv6.conf.all.forwarding = 1 in /etc/sysctl.conf and rebooting) everything starting working just fine.

You could also try forcing sshd to use ipv4. In your example, adding switch "-4" as follows:

ssh -4 -R 2024:localhost:22 -N remote.server

following this steps helped me

  • install ssh on the container
  • enable the service with /etc/init.d/ssh start
  • run echo 'root:a-strong-password' | chpasswd to set password for root
  • edit /etc/ssh/sshd_config and set PermitRootLogin yes
  • then /etc/init.d/ssh restart
  • then ssh -fNTCR localhost:<YOUR-PORT>:localhost:22 remote-host this goes to background and you can see it via ps aux | grep ssh
  • then in remote-host we can login into it ssh -p <YOUR-PORT> localhost
  • which asks for the password and you already created


enter image description here

More info

  1. how-to-ssh-into-a-docker-container-remotely-as-root-or-a-non-root-user