I had wondered for a while how SSH reverse port forwarding works. RPF allows you to publish any reachable port upstream to a server. This allows you to act as a server without having to open any external ports.
Set up on the listener
### Define the ports listen='10.0.0.1 8080' connect=2222 ### Create a FIFO (named pipe) fifo=$(mktemp -u) mkfifo $fifo ### Start the listener ncat -l $listen 0<$fifo | ncat -l 127.0.0.1 $connect >$fifo
Target connects to '10.0.0.1:8080' and
publishes local SSH to the upstream server
exec 3<>/dev/tcp/localhost/22 && exec 4<>/dev/tcp/10.0.0.1/8080 && \ bash <(cat 0<&3 1>&4 & ) && cat 0<&4 1>&3
SSH is reachable on the listener
ssh localhost -p 2222 Host 'localhost' is not in the trusted hosts file. (ssh-rsa fingerprint [snip]) Do you want to continue connecting? (y/n)