Just to say I don’t condone by passing firewalls but if needs must to get a job done heres how.
So we’ve all worked in places with restrictive firewalls that make our life as admins difficult. Its easy enough to tunnel out of most firewalls if you have a SSH server on the outside you can even set it to run on port 443 if you can’t get out on 22, you can then use a dynamic tunnel using the -D flag for SSH to bounce outside the restrictions. But what if you need to do something a bit extra? What if you need to access your desktop machine from outside of your network but the VPN solution your company supplies doesn’t deliver? Well SSH can be your friend here too. Reverse SSH tunnels are going to get you right into the heart of the corporate network and probably expose how lax the security really is where you work 
but hey if you’ve got a job to do this will just let you get on with it.
Firstly you’re going to need to initiate this from your corporate desktop in advance, you’re also going to need a “jump box” ssh server you can hit ont he internet, and finally you’ll need your local desktop.
From your corporate machine you need ssh running as a service here also then you need to make a SSH connection out to your jump box but allow connections back in down that SSH connection you’ve just opened. Its easier than it sounds:
On the corporate machine:
ssh -R 2100:localhost:22 <USER>@<YOUR_JUMP_BOX>
This opens an SSH connection to you jump box and sets up port 2100 on the jump box to forward back down the tunnel to your corporate machine on port 22.
Now for the funky stuff. You want to use your local desktop browser to surf the web but appear as if you are in the office IP range. So lets first connect to the jump box from the local desktop and open a new normal SSH tunnel:
On your local desktop outside the network:
ssh -L 8080:127.0.0.1:2101 <USER>@<YOUR_JUMP_BOX>
Don’t worry if you get erros like the following, its purely because we haven’t connected the two tunnels to each other:
channel 3: open failed: connect failed: Connection refused
channel 4: open failed: connect failed: Connection refused
Ok now time to connect to two SSH tunnels together. On your newly created SSH connection as shown above type the following in to the shell of the jump box:
On the jump box:
ssh -p 2100 -D 2101 localhost
This not only joins your dynamic tunnel to your reverse tunnel and ssh’s into the corporate machine but also allows HTTP traffic to flow between the local desktop and corporate machine using a socks proxy! Your local desktop forward traffic on port 8080 to the jump box which in turn forwards it to the jump box (localhost) onto port 2101. Now port 2101 is forwarded down the reverse tunnel to your corporate machine and you can browse the web.
Now all thats left to do is tell your browser on your local desktop to use a proxy and the details will be localhost port 8080 and the type is socks 5. Now you can browse the web as if you’re in the office and access local intranets but also you have a shell open to your desktop to do some work that can be only completed from inside.
I hope you all find this useful, and no doubt you’ll be able to forward all kind sof traffic in a simular way!
