Directly SSH to Hosts’ Internal IPs Through the Gateway

We have many hosts with internal/LAN IPs like 10.0.3.* behind a gateway and the hosts with LAN IPs can connect to the Internet through the gateway. We used iptables to forward port from the gateway to internal IPs so that users from hosts with Internet connections can SSH to the gateway’s forwarded port to log on the internal hosts. However, there should be rules added for these hosts and the users need to connect to these non-standard (not 22) ports of the gateway that may be blocked by firewalls of their network.

Is there any other methods to support this? We do not want VPN yet since only SSH is needed most of the time and we do not like to be too open to the Internet yet.

My solution is to use a SSH tunnel as the proxy to SSH to the internal hosts. This is set by the users themselves on their own side.

Assumptions and requirements:

1. You, the user, are using a Linux environment on your machine, say .
2. You can password-less login to the gateway, say, with your username. You can use other usernames, non-standard port, or forward the 22 port of gateway to an internal host/VM for security reason. We use the most simple configuration for simplicity of the introduction.
3. On the gateway or the host that you can ssh to as a proxy, nc is installed.

Now, add these 2 lines to your ~/.ssh/config (make its attributes 700) on

Host 10.0.3.*
  ProxyCommand ssh -q nc %h %p

Then, on, you can directly ssh to internal hosts, such as:


The SSH client will first run ssh -q nc 22 which log on and runs nc 22 on the gateway. The nc on the gateway will redirect all input from the SSH client on to to which the sshd daemon on listens. That is, works as the proxy for the SSH connection and the users can connect to the internal IPs “directly”.

Eric Z Ma

Eric is a father and systems guy. Eric is interested in building high-performance and scalable distributed systems and related technologies. The views or opinions expressed here are solely Eric’s own and do not necessarily represent those of any third parties.

Leave a Reply

Your email address will not be published. Required fields are marked *