I want to connect the VNC service of the remote machine through the ssh tunnel , I am
ssh -L
not familiar with the command, andman ssh
then I found 3 sets of parameters related to the tunnel (turnnel):ssh -D
,ssh -L
,ssh -R
, I was confused all of a sudden, so I decided to study it carefully.
What is an SSH Tunnel
Tunneling is a technology that encapsulates one network protocol into another network protocol for transmission. Here we study ssh tunneling, so all network communication is encrypted. Also known as port forwarding, because the ssh tunnel is usually bound to a local port, and all packets sent to this port port will be encrypted and transparently transmitted to the remote system.
Types of SSH Tunnels
There are 3 types of ssh tunnels:
- Dynamic port forwarding (Socks proxy)
- local port forwarding
- remote port forwarding
Dynamic port forwarding
Dynamic ports allow tunneling data to be forwarded to all remote addresses by configuring a local port. Local applications need to use the Socks protocol to communicate with the local port. At this point SSH acts as a Socks proxy server.
command format
ssh -D [bind_address:]port
Parameter Description
- bind_address specifies the bound IP address. By default, it will be bound to the local loopback address (ie 127.0.0.1). If it is empty or
*
not, all local IP addresses will be bound. If you want the bound port to be used only by this machine , which can be specified aslocalhost
. - port specifies the locally bound port
scenes to be used
Assuming that X network (192.168.18.0/24) has host A (192.168.18.100), Y network (192.168.2.0/24) has host B (192.168.2.100) and host C (192.168.2.101), it is known that host A can Host B is connected, but host C cannot be reached.
run on host A
$ ssh -D localhost:8080 root@192.168.2.100
Then the application on host A can pass
SOCKS5 localhost:8080
Access the service on host C.
advantage
- Configure a proxy service to access all services on the remote machine and its subnet
shortcoming
- The application requires additional configuration of a SOCKS proxy. If the application does not support proxy configuration, it cannot be used.
local port forwarding
Through the SSH tunnel, the address and port that can be accessed by a remote machine are mapped to a local port.
command format
ssh -L [bind_address:]port:host:hostport
Parameter Description
- bind_address specifies the bound IP address. By default, it will be bound to the local loopback address (ie 127.0.0.1). If it is empty or
*
not, all local IP addresses will be bound. If you want the bound port to be used only by this machine , which can be specified aslocalhost
. - port specifies the locally bound port
- host specifies the IP of the destination address of the packet forwarding. If the destination host and the ssh server are the same host, the parameter is specified as
localhost
- host_port specifies the destination port for packet forwarding
scenes to be used
Assuming that X network (192.168.18.0/24) has host A (192.168.18.100), Y network (192.168.2.0/24) has host B (192.168.2.100) and host C (192.168.2.101), it is known that host A can Host B is connected, but host C cannot be reached. Host A needs to access the VNC service of host C (port 5900)
Establish local forwarding port 5901 on host A
$ ssh -L 5901:192.168.2.101:5900 root@192.168.2.100
Then the local vnc client opens the vnc service of the c host through port 5901
$ open vnc://localhost:5901
advantage
- No need to set up a proxy
shortcoming
- Each service needs to be configured with different port forwarding
remote port forwarding
Remote port forwarding is used in some one-way blocking intranet environments, such as NAT and network firewalls. The internal network host behind the NAT device can directly access the public network host, but the external network host cannot access the services of the internal network host. If the internal network host establishes a remote forwarding port to the external network host, the external network host can access the services of the internal network host through this port. This intranet host can be understood as "internal response" and "door opener".
command format
ssh -R [bind_address:]port:host:hostport
Parameter Description
- bind_address specifies the bound IP address. By default, it will be bound to the local loopback address (ie 127.0.0.1). If it is empty or
*
not, all local IP addresses will be bound. If you want the bound port to be used only by this machine , which can be specified aslocalhost
. - port specifies the locally bound port
- host specifies the IP of the source address of the packet forwarding. If the source host and the ssh server are the same host, the parameter is specified as
localhost
- host_port specifies the packet forwarding source port
scenes to be used
Assuming that X network (192.168.18.0/24) has host A (192.168.18.100), Y network (192.168.2.0/24) has host B (192.168.2.100) and host C (192.168.2.101), it is known that host A can Log in to host B through SSH access, but the reverse direct connection is prohibited, and host B and host C can access each other. If host C wants to access the VNC service of host A (port 5900).
Run the following command on host A to enable remote port forwarding on host B.
$ ssh -R 5900:192.168.2.100:5901 root@192.168.2.100
Then host C connects to port 5901 of host B
$ open vnc://192.168.2.100:5901
advantage
- Can traverse firewalls and NAT devices
shortcoming
- Each service needs to be configured with different port forwarding
How to disable port forwarding
Set up the ssh service configuration file/etc/ssh/sshd_config
AllowTcpForwardingno