Unable to port forward, port 22 on big sur

Question

I've looked around and forwarding port 22 so I can ssh to my home network externally should be easy, however I'm having issues, can't seem to solve this from googling.

I suspect I have missed something that needs to be done before port forwarding can be done.

Steps

ssh to self to prove local ip is right:

external-access:  
 λ ssh [email protected]
([email protected]) Password:
Last login: Wed Jun  7 19:35:53 2023 from 192.168.0.209
~:  
 λ exit
logout
Connection to 192.168.0.209 closed.

Get external ip:

external-access:  
 λ curl -s https://ipinfo.io/ip
82.4.76.15

Port forward using tunnel, this hangs:

external-access:
λ ssh -L 192.168.0.209:22:82.4.76.15:80 -N 127.0.0.1
([email protected]) Password:
bind [192.168.0.209]:22: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 22
Could not request local forwarding.

Verbose:

external-access:  
 λ ssh -vvL 192.168.0.209:22:82.4.76.15:80 -N 127.0.0.1
OpenSSH_9.3p1, OpenSSL 1.1.1t  7 Feb 2023
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 127.0.0.1 is address
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /Users/iridium/.ssh/id_rsa type -1
debug1: identity file /Users/iridium/.ssh/id_rsa-cert type -1
debug1: identity file /Users/iridium/.ssh/id_ecdsa type -1
debug1: identity file /Users/iridium/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/iridium/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/iridium/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/iridium/.ssh/id_ed25519 type -1
debug1: identity file /Users/iridium/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/iridium/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/iridium/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/iridium/.ssh/id_xmss type -1
debug1: identity file /Users/iridium/.ssh/id_xmss-cert type -1
debug1: identity file /Users/iridium/.ssh/id_dsa type -1
debug1: identity file /Users/iridium/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1
debug1: compat_banner: match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 127.0.0.1:22 as 'iridium'
debug1: load_hostkeys: fopen /Users/iridium/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:oSqYqE4r3wfOyhMupdNyfEadeUKiQ+tO5jhYWehhQII
debug1: load_hostkeys: fopen /Users/iridium/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '127.0.0.1' is known and matches the ED25519 host key.
debug1: Found key in /Users/iridium/.ssh/known_hosts:5
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/iridium/.ssh/id_rsa 
debug1: Will attempt key: /Users/iridium/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/iridium/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/iridium/.ssh/id_ed25519 
debug1: Will attempt key: /Users/iridium/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/iridium/.ssh/id_xmss 
debug1: Will attempt key: /Users/iridium/.ssh/id_dsa 
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/iridium/.ssh/id_rsa
debug1: Trying private key: /Users/iridium/.ssh/id_ecdsa
debug1: Trying private key: /Users/iridium/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/iridium/.ssh/id_ed25519
debug1: Trying private key: /Users/iridium/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/iridium/.ssh/id_xmss
debug1: Trying private key: /Users/iridium/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
([email protected]) Password:
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 0
Authenticated to 127.0.0.1 ([127.0.0.1]:22) using "keyboard-interactive".
debug1: Local connections to 192.168.0.209:22 forwarded to remote address 82.4.76.15:80
debug1: Local forwarding listening on 192.168.0.209 port 22.
bind [192.168.0.209]:22: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 22
Could not request local forwarding.
debug2: fd 3 setting TCP_NODELAY
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: client_input_hostkeys: searching /Users/iridium/.ssh/known_hosts for 127.0.0.1 / (none)
debug1: client_input_hostkeys: searching /Users/iridium/.ssh/known_hosts2 for 127.0.0.1 / (none)
debug1: client_input_hostkeys: hostkeys file /Users/iridium/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update
debug1: pledge: network
^CKilled by signal 2.

Another cmd to port forward, this hangs also:

external-access:  
 λ ssh -p 22 [email protected]
^C
external-access:  
 λ ssh -vvp 22 [email protected]
OpenSSH_9.3p1, OpenSSL 1.1.1t  7 Feb 2023
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 82.4.76.15 is address
debug1: Connecting to 82.4.76.15 [82.4.76.15] port 22.
^C

Answer 1

ssh -L 192.168.0.209:22:82.4.76.15:80 -N 127.0.0.1 would attempt to set up a TCP proxy in port 22 of 192.168.0.209, but that port probably already has the sshd of your macOS, and as Marcus Müller said, you probably need root privileges to bind tunnels to local ports below 1024.

Then, any program connecting to 192.168.0.209:22 would have its connection forwarded to the sshd at the other end of the SSH connection, and connected from there using regular TCP to port 80 at Ip address 82.4.76.15. So this port forwarding is outbound: it cannot allow inbound access from outside your network.

---

If you want to allow inbound access with SSH port forwarding, you'll need remote forwarding (-R) instead. You'll also need some host that a) you can access with SSH, and b) has a port you can use that is reachable from the internet.

So, for example, if you can SSH to Internet-accessible host 12.34.56.78, and it allows you to set up port forwardings and its port 2222 is not firewalled from the Internet, you could do this:

ssh -R 2222:127.0.0.1:22 -N 12.34.56.78

The computer you ran this command in would then have to stay powered on in your home network, to keep the port forwarding up.

Then on another computer on the internet, you could do a ssh -p 2222 12.34.56.78 to connect to the host on your home network that you set up the SSH forwarding in. The proxy in 12.34.56.78's port 2222 would pass the incoming connection over the SSH tunnel to the host you ran the first ssh command in, and there the SSH client would pass the connection to port 22 on 127.0.0.1, allowing you to connect to your own system with SSH using IP address 12.34.56.78 and port 2222.

Using SSH is fine if you want a temporary port forwarding and have a SSH-accessible host you can use with a public IP address. But if 82.4.76.15 is the internet-side address of your internet router (i.e. that IP address is listed in your router's configuration), configuring an inbound port forwarding to your router would not require an external SSH-accessible host.

But if the internet-side interface of your router only has a non-public IP address, you are behind a carrier-grade NAT and cannot get inbound connections without first using an outbound connection to set up a tunnel through some external host, like described above with ssh -R.

Answer 2

All I had to do was open port 22 on my router settings page and now I can ssh externally (using my phone connected to 4G not wifi and the external ip address of my computer) to my local machine without using any cmd.

Steps:

Login to router page and open port 22 for the local machine ip.

Then:

# on local machine find external ip
curl -s https://ipinfo.io/ip

# on device not connected to wifi
ssh <user>@<output of cmd above>