I have needed at various times to setup a server to tunnel an Internet facing machine to an internal machine using ssh. The actual command had always challenged me and each time I look it up, I don’t find what I really needed.
So this time, for the purposes of documenting what I did, here’s the command I used:
ssh -L 10.1.10.10:10000:10.9.9.1:22 -l sshuser -N 10.9.9.1
The -L is to say that it is local, the 10.1.10.10 is the eth0 on the Internet facing machine with the 10000 the port ssh will listen to. The incoming ssh request will then be routed to 10.9.9.1 on the inside to the standard port 22. the -l sshuser is a user on the 10.9.9.1 machine who has to be logged in. The logging in will require a password, but if the shared rsa keys are set up between the 10.1.10.10 machine and 10.9.9.1 for the user ID sshuser, then no password is needed.
To generate the rsa keys, on 10.1.10.10, run as user sshuser, ssh-keygen. Do bother with a pass phrase. The resultant file is called id_rsa.pub, found in sshuser’s .ssh directory on 10.1.10.10, is to be transferred to 10.9.9.1’s sshuser’s .ssh directory and named as authorized_keys. Appended to that authorized_keys file if needed. Ensure that the authorized_keys file has a 0600 permission on it.
That should do it. There, documented for all.