How to access a host port (bind with ssh -R) from a container?

Question

Using Docker 1.12.1, I face a strange behaviour trying to access a host port created with ssh -R.

Basically I try to access a service running on port 12345 on my local machine from a docker container running on a server.

I opened a ssh connection with ssh -R *:12345:localhost:12345 user@server to open a port 12345 on server that forwards to port 12345 on my local machine.

Now when I try curl https://172.17.42.1:12345 inside the container (172.17.42.1 is the IP to access the docker host from the docker container) I get :

root@f6873fe1109b:/# curl https://172.17.42.1:12345
curl: (7) Failed to connect to 172.17.42.1 port 12345: Connection refused

But on server the command curl http://localhost:12345 succeeds (eg. no Connection refused)

server$ curl http://localhost:12345
curl: (52) Empty reply from server

I don't really understand how the port binding done with ssh differs from a test with nc on server (it works) :

# on server
nc -l -p 12345
# inside a container
root@f6873fe1109b:/# curl http://172.17.42.1:12345
curl: (52) Empty reply from server

NB: the container was started with docker run -it --rm maven:3-jdk-8 bash.

What can I do to allow my container to access the host port corresponding to a ssh binding ?

by default ports opened by ssh -R are bound to localhost only - you need to use `-R '*:11443:server1:443'` to get it to bind on other interfaces — Anya Shenanigans, Sep 27 '16 at 09:07
Thanks for your suggestion but it doesn't seem to make it work. I still see `curl: (7) Failed to connect to 172.17.42.1 port 11443: Connection refused` — Alexandre Ardhuin, Sep 27 '16 at 09:16
I'm a little confused as to the layout of things in your question. It kind of sounds like you're trying to do [accessing host port from inside a container](http://stackoverflow.com/questions/31324981/how-to-access-host-port-from-docker-container), so that answer may help in this case, but I'm not 100% certain. — Anya Shenanigans, Sep 27 '16 at 09:27
I saw this question/answers but it didn't help. I've tried to simplify my question. PTAL. Thanks again. — Alexandre Ardhuin, Sep 27 '16 at 09:46
ack, I just realized that you're using `-R`, which binds the listening on *server*, while what you want it `-L` which binds on the system you're ssh-ing *from*. If you use `-L` then it should work correctly — Anya Shenanigans, Sep 27 '16 at 10:30

score 1 · Accepted Answer · edited Jun 20 '20 at 09:12

From man ssh:

-R [...]

... Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled

And man sshd_config:

GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be “no” to force remote port forwardings to be available to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the address to which the forwarding is bound. The default is “no”.

This means that a default sshd server installation only allows to create forwards that bind to the local interface. If you want to allow forwards to other interfaces then loopback, you need to set the GatewayPorts option to yes or clientspecified in your /etc/ssh/sshd_config

Thanks a lot! NB ssh service has to be restart with `sudo service ssh restart` after the change in `/etc/ssh/sshd_config` — Alexandre Ardhuin, Sep 27 '16 at 12:40
Yust one other note: `clientspecified` may be the better option then `yes` because it will cause only forwards that explicitly request it to be bound to the wildcard address. Whit `yes` all forwards that don't specify a bind address are bound to the wildcard address. — mata, Sep 27 '16 at 12:56

How to access a host port (bind with ssh -R) from a container?

1 Answers1