Effect of `ssh -D me@localhost`


My setup: Router is a TP-Link C7 v5 running on an OpenWrt 19.07.8 custom image. An openssh server runs in it.

If I were to SSH into this router and to run (where me represents a user account)

ssh -D me@localhost

Would that create a dynamic forward to the router itself and listening on all interfaces (including WAN)?

If yes, does that mean anybody having access to Internet could use my router for a SOCKS proxy (simply by setting their SOCKS5 proxy to where represents my public I.P. address)?

Oh yes, guidance on bind address seems to say that you need GatewayPorts yes in /etc/ssh/sshd_config. Suppose I did that.

I am not proposing to do this. I am trying to learn how things work.

Assuming I got that much right, what would be a bind address that says, "Accept a forward request from all machines within LAN but from the Internet"?

Thanks very much.

If it were valid, it means the process/client would have a proxy, as always. That doesn't change.

Your iptables/nftables by default should deny req from WAN and allow req from LAN. So you are fine.


Thank you.

I see that the default firewall settings for WAN on LuCI look like this:

Input : reject
Output : accept
Forward : reject

What would be the way to make the proxy listen on all interfaces then? Would it be to set "Input : accept"? Since the request comes from WAN and wants to go to WAN (unless the Web contents were within the router's LAN), that should do it?

Would another method be to put in a "port forward" or "redirect" rule whereby is forwarded to, where "" represents the router's LAN-side address?

(Again, not proposing to do this.)