SSH port forwarding - case, command and server configuration

Posted by X74SY on Sat, 29 Jan 2022 04:37:36 +0100

SSH port forwarding - case, command and server configuration

Three forwarding types

  • Local forwarding - L
  • Remote forwarding - R
  • Dynamic forwarding-D

Simple understanding: the three machines of ABC and AC cannot communicate directly, but B can communicate with AC respectively, so AC forwards and communicates through B

Local SSH port forwarding

Mapping A port of the remote server to A local port is usually used when machine A logs in to C through B, because it cannot directly connect to C, but B can connect to C

(if the springboard machine logs in to other servers, you can use the - J parameter to jump)

Access path: own or the same LAN user -- > local machine: Port -- > SSH tunnel -- > jump machine -- > remote service: Port

Command:

ssh -L [Local host:]Local host port:Remote network host:Remote network host port forwarding server
ssh -L 0.0.0.0:8080:HOST_C:8080 root@HOST_A			# The local host can ignore not writing. The default is 127.0.0.1
ssh -L 127.0.0.1:8080:HOST_C:8080 root@HOST_A		# Difference between self inspection 127.0.0.1 and 0.0.0.0

Example:

* `ssh -L 8000:10.10.30.3:10000 10.10.20.2`  # Log in to 10.10.20.2 through ssh and map port 10000 of remote 10.10.30.3 to port 8000 of local computer
* `ssh -L 10086::10086 10.10.20.2` 			# Map 10086 port of 10.10.20.2 to local

Remote port forwarding

Mapping a port of the local machine (or other servers in the local LAN) to the port of the server is usually used to provide access to the external network (because the server has a public IP address)

Access path: user -- > server: Port -- > SSH tunnel -- > local host port -- > local service port (or other LAN hosts)

Important:

By default, OpenSSH Only local connections from the server to the remote forwarding port are allowed,use netstat -anlp When viewing the listening port, you can see that the listening port is 127.0.0.1:Port
 How can other users get through Server IP What about the visit ? Need to listen to 0.0.0.0:Port
 Modify the of the server /etc/ssh/sshd_config ,Modify or add a row,There are three options
GatewayPorts No		(By default, only local connections from the server host are allowed)
GatewayPorts Yes 	(Internet Anyone on can connect to the remote forwarding port)
GatewayPorts clientspecified 	(You can specify a connection IP Address, if not specified,Then anyone can access it)

Command:

ssh -R [Login Host:]Login Host Port:Local network host:Local network host port proxy Login Host

Example:

  • ssh -R 10.10.20.2:3306:localhost:3306 10.20.20.2 # maps the local 3306 port to the 3306 port of the remote 10.20.20.2 server
  • ssh -R 10.10.20.2:3306:192.168.2.5:3306 10.20.20.2 # maps the 3306 port of 192.168.2.5 in the local LAN to the 3306 port of the remote 10.20.20.2 server
  • ssh -o -R 0:localhost:3306 10.20.20.2 # map the local 3306 port to a random port of the remote server. After connection, the first line of output will show which port is ex:Allocated port 41389 for remote forward to localhost:3306
  • SSH - R 52.194.1.73:8080: localhost: 80 xxxxx # at this time, only 52.194.1.73 can access port 8080 of xxxxx, provided that GatewayPorts clientspecified is set

Server side configuration

The AllowTcpForwarding option in the OpenSSH server configuration file must be enabled on the server to allow remote port forwarding.

However, this function is on by default. The following options are available:

  • yes or all to allow all TCP forwarding
  • no to prevent all TCP forwarding. Local forwarding is allowed locally and remote forwarding is allowed remotely.

Another option is AllowStreamLocalForwarding, which can be used to forward Unix domain sockets. It allows the same value as AllowTcpForwarding. The default value is yes.

AllowTcpForwarding remote 
AllowStreamLocalForwarding no

Dynamic port forwarding

There is no need to specify the port number of the accessed target host. This port number needs to be specified locally through the protocol, which is a simple, safe and practical SOCKS protocol.

In short, all traffic is forwarded through the server through the sock agent You can access all the ip addresses that the server can access

Command:

ssh -D [Local machine:]Native port

Example:

# How to use?
give an example 
	* Browser settings sock Agent for server:port
	* ssh -o ProxyCommand='/usr/bin/nc -X 5 -x 127.0.0.1:5000 %h %p' user@host2 # Set the sock proxy to ssh and log in to host2 through the proxy

matters needing attention

  • As long as SSH is continuously disconnected, the connection will always exist. Similarly, if SSH is disconnected, the connection will be disconnected
  • If the forwarding port is not set as root, the forwarding port can only use a port number greater than 1024.

Topics: Linux network ssh

Hot Topics

©2024 Programmer Think