" Today I used the company environment to test the network tunnel. When I was writing half of the article, suddenly my boss came to me. I was really suffering!-Three minutes of programming "
Record of conversation with boss
Alert mail
I'm so miserable, I hope I won't be too miserable tomorrow.
Okay, let's start today's content.
Do you often encounter these troubles? Because of the company's security policy, you have to use the springboard machine instead of directly connecting to the development environment and use the database service that has been built above. In order to facilitate the release, the service on your own computer should not allow the development environment machine to be directly connected to the test. And when we are drinking coffee and connecting to free wifi at Starbucks, will all network requests be captured by ***?
Overview
SSH will automatically encrypt and decrypt all network data between the SSH client and server. However, SSH also provides a very useful feature, which is port forwarding. It can forward the network data of other TCP ports through the SSH link, and automatically provides corresponding encryption and decryption services. This process is sometimes called "tunneling" (tunneling). This is because SSH provides a secure channel for other TCP connections, avoiding the transmission of user names, passwords, and private information in plain text. For example, TCP applications such as Telnet, SMTP, and LDAP.
If the firewall in the work environment restricts the use of some network ports, but allows SSH connections, then it is also possible to use SSH to communicate by forwarding the TCP port. In general, SSH port forwarding can provide two major functions:
Encrypt communication data from SSH Client to SSH Server.
Break through the firewall restrictions to complete some TCP connections that could not be established before.
tunnel
Local forwarding
When the Mysql of the development machine can only be connected from the springboard, how can I skip the springboard to access the remote Mysql?
Mysql to access remote server
As shown in the figure above, we need to be clear that there are three roles now, client (SSH Client), springboard (SSH Server), and server.
The client can only connect to the springboard via ssh. The springboard can directly access all ports of the server. Mysql service is installed in the server and port 3306 is monitored.
At this time, we must use local forwarding to connect, the command rules are as follows
It seems very puzzling, there are only three unclear questions, what? where? how?
what : Use local forwarding to monitor a local port. When the application accesses this port, ssh will intercept the request and forward it to the server through the springboard as an intermediate medium. After the server processing is completed, the data returns to the original path to complete the entire link. The ssh service completes the operations of encryption, forwarding, decryption, and communication in this process.
where : do this on the client (also called local, SSH Client)
how : Use the following command to configure, you can access the local port 9527 and forward it to the server's 3306 port.
Interpreted as, when accessing port 9527 of the machine, it is encrypted and forwarded to the ssh service of the springboard, port 3306 of the server
Attention
SSH port forwarding is established through an SSH connection, and we must maintain this SSH connection to make the port forwarding effective. Once the connection is closed, the corresponding port forwarding will also be closed. ssh -g -L <local port>:<remote host>:<remote port> <SSH hostname>
We can only create port forwarding while establishing an SSH connection, but cannot add port forwarding to an existing SSH connection.
Well, we have established port forwarding locally, so since we are monitoring the local port 9527, will other machines also access the local port 9523 automatically forward it? For example, can a new client 2 be added to directly connect to port 9527 of the client? The answer is no. In mainstream SSH implementations, local port forwarding is bound to the lookback interface, which means that only localhost or 127.0.0.1 can use the local port forwarding, and connections initiated by other machines will only get "connection refused." ". Fortunately, SSH also provides the GatewayPorts keyword, we can share this local port forwarding with other machines by specifying it.
Of course, you are free to specify the remote host, if you want to access the service on the springboard in the machine, because the firewall can not access directly, then
remote host, andSSH hostnamemay be the same
Remote forwarding
A mysql service is deployed on my development machine. I want to connect to the mysql service on my development machine in the intranet after I go home. How do we get it?
Remote forwarding icon
We need to use a public network server to forward remote traffic. Due to the security policy, the internal network machine can connect to the external network machine, but the external network cannot access the internal network machine. We only need to forward the remote request to the correct intranet service. Its command format is:
what : Use remote forwarding to monitor a certain port of the public network server. When the application accesses this port, ssh will intercept the request, and forward it to the server that actually provides the service through the ssh client as an intermediary. After the server processing is completed, the data returns to the original path to complete the entire link.
where : run this command on the intranet server
how : Use the following command to configure, you can access the external network machine port 9527 forwarded to the 3306 port of the internal network server
让公网服务器监听9527端口的访问,如有访问,就加密后通过ssh服务转发请求到内网机器ssh客户端,再由内网机器ssh客户端解密后转发到内网机器3306端口。这听起来有点奇怪,因为这个时间内网服务器充当了两个角色,就是ssh客户端和server端。用下图的展示看起来更直观一点
有跳板机的远程转发
这个时候我们就可以在跳板机上使用命令
这个时候就是让公网服务器监听9527端口的访问,如有访问,就加密后通过ssh服务转发请求到跳板机ssh客户端上,再由ssh客户端解密后转发到内网机器3306端口上。
注意的点
必须保持ssh client到ssh server的 SSH 连接以使端口转发保持生效。一旦关闭了此连接,相应的端口转发也会随之关闭。
我们只能在建立 SSH 连接的同时创建端口转发,而不能给一个已经存在的 SSH 连接增加端口转发。
对于远程转发来说,
/etc/ssh/sshd_config里要把AllowTcpForwarding选项设置为yes,否则-R远程端口转发会失败。把/etc/sysctl.conf里的net.ipv4.ip_forward = 0设置为1默认转发到远程主机上的端口绑定的是127.0.0.1,如要绑定0.0.0.0需要把
/etc/ssh/sshd_config里的GatewayPorts选项设置为yes。这个选项如果由于权限没法打开也有办法,可配合ssh -L将端口绑定到0.0.0.0,如下ssh -R 127.0.0.1:9527:内网机器:3306 root@公网机器 ssh -L 0.0.0.0:9527:127.0.0.1:9527 [email protected]
本地转发与远程转发的区别与共同点
共同点:
都要保持ssh不要断掉
都是在建立链接的同时创建端口转发
都是转发请求
都是在ssh client上运行
区别:
本地转发是ssh client就是client,远程转发ssh client是server
本地转发是本地请求远程的服务,远程转发是远程请求本地的服务
实在理不清,听我的,转发是指转发请求,本地转发就是把本地的请求转发出去;远程转发就是把远程的请求转发过来。
动态转发
我有一台香~*港.服务器能科~学~上~网,凭什么我自己不能出#外~网!还真就可以。
前面我们已经讨论过了本地转发,远程转发,但是前提都是要求有一个固定的应用服务端的端口号。那如果没有端口号怎么办?等等,什么样的应用会没有这个端口号呢?嗯,比如说用浏览器,比如说 M.S.N 等等。
同时当我们在一个不安全的 WiFi 环境下上网,用 SSH 动态转发来保护我们的网页浏览及 p-a-y-p-a-l 信息无疑是十分必要的。
让我们先来看一下动态转发的命令格式:
动态转发
实际使用如下
怎么使用
1. 在浏览器里设置使用socks5代理127.0.0.1:9527,然后浏览器就可以访问host1所在网络内的任何IP了。推荐chrome浏览器switchyOmega插件设置为下就可以了。
switchyOmega
2. 如果是普通命令行应用,使用proxychains-ng,参考命令如下:
brew install proxychains-ngvim /usr/local/etc/proxychains.conf # 在ProxyList配置段下添加配置 "socks5 127.0.0.1 9527"proxychains-ng wget http://host2 # 在其它命令行前添加proxychains-ng即可
3. 如果是ssh,则用以下命令使用socks5代理:
ssh -o ProxyCommand='/usr/bin/nc -X 5 -x 127.0.0.1:5000 %h %p' user@host2
转发常用的参数
用法
-f 要求 ssh在执行命令前退至后台.它用于当ssh准备询问口令或密语,但是用户希望它在后台进行.该选项隐含了-n选项.
-N 不执行远程命令.用于转发端口.
-C Data compression is required (including stdin, stdout, stderr and forwarding X11 and TCP/IP connection data). The compression algorithm is the same as gzip(1). In the first version of the protocol, the compression level "level" is controlled by the CompressionLevel option. Compression The technology is useful on modem lines or other slow connections, but it may reduce the speed on high-speed networks. This parameter can be set separately for each host in the configuration file.
-g Allow remote hosts to connect to locally forwarded ports
-q Quiet mode. Eliminate all warnings and diagnostic messages
-T Prohibit allocating pseudo terminals
-n Redirect stdin to /dev/null (actually prevent reading data from stdin). This option must be used when ssh is running in the background. Its common technique is to run X11 programs remotely.
How to use Xshell to dynamically forward on windows machine
Unexpectedly that everyone is so enthusiastic, some friends have asked, can xshell be configured with a proxy in a windows machine? How are various IDEs and visualization tools used? Let me tell you.
First, create a springboard to connect to your machine, the properties of the tunnel ( the Tunnel added in) local forwarding , mapping the stepping stones to a local port of 1080. In this way, you can use proxy software locally to control your traffic to this port. As shown below:
Local forwarding
OK, then download a proxy software locally. I prefer to use proxifier. This software is very powerful. As long as you add proxy rules, you can distribute traffic to different places, as shown in the figure below:
The three rules in the picture above mean:
Rule 2: This rule is triggered when the visited host ip is 10.77.0.*, use socks5 to forward to port 1080 (you can't see which port to forward to, you can select it when editing)
Rule 3: If there is no match to the target host, direct connect directly
Rule 1: Match direct connection to localhost
The application field can also use regular expressions. For example, if yours is PyChram or QQ, you can write PyChram*; QQ*, depending on your process name.