# [SOLVED] Sharing a Forwarded SSH Port on Local Network

## maltheus

From machine_x on my network, I'm forwarding a port to an external site:

ssh -N -L 3389:localhost:3389 external_server

But I can only access port 3389 from machine_x. I'd like to make that port available to other machines on my network, without those other machines having to connect to external_server themselves. Right now the only workaround I have is to forward a port from my other machines for machine X.

(From machine_y)

ssh -N -L 3389:localhost:3389 machine_x

But it seems a waste to set up another encrypted tunnel like that. Is there a way I can connect directly to machine_x's port 3389 from another machine on my network?Last edited by maltheus on Thu Dec 03, 2009 2:43 pm; edited 1 time in total

----------

## eccerr0r

Manpage looks like you can do: -L \*:3389:localhost:3389 ...

I wouldn't do that personally though, -L is already opening a gaping security hole into my home network...

----------

## truc

the GatewayPorts is probably be the setting you're looking for?

----------

## Hu

Using GatewayPorts is just a shorthand for the syntax that eccerr0r described.  I am not sure I agree with the comment about -L being a security hole on the home network.  Using -L binds a local port and forwards the traffic to a remote system, so the only risk to the local network is that it may be possible for a local application to contact a malicious server.  A malicious user at the remote site cannot leverage a -L forwarding to mount any attack on the local network.  A -R forwarding could be abused to bring traffic back to the port forwarded by -R.

You can also do a non-wild binding by specifying a particular local address.  For example, -L 192.168.0.2:3389:localhost:3389.

----------

## eccerr0r

I use -L to access my firewalled home network resources at work; as work is a "untrusted" environment to my home network, it is a security hole for my situation.  I suppose if you control all connections to the port it should be fine.

----------

## maltheus

 *truc wrote:*   

> the GatewayPorts is probably be the setting you're looking for?

 

Thanks, that led me to the "-g" option, what was what I needed. I still get a "bind: Address already in use" error, but it works nonetheless.

As for security, this port is only available on my local home network, so I'm not too worried about it.

----------

