The copy is reproduced in: Zhihu Li Yao
Link: https://zhuanlan.zhihu.com/p/444319023
Manga source: Jiege
Copywriting Formatting: Relief
The author encountered this scenario at work. Under the following two network restrictions, how can the headquarters access the internal web server of the branch?
The dmz server can access port 22 of the external network server of the headquarters, but cannot access the web server;
The web server cannot access the public network, but has unlimited access to the dmz network.
At first glance, our first thought must be to map the internal network port to the public network, or vpn, but it is difficult to achieve without modifying the network policy. Is there any other way, we continue to analyze the existing conditions from a pure network perspective.
Network communication is two-way, there is a request and there is a response, which is what we commonly call "communication". dmz can access the external port 22, which represents the request, and the two communication channels for the return packet are unobstructed. Can we use the return packet channel to initiate reverse access from the outside to the inside? The answer is of course yes, let's try it, we need the ssh tool.
We execute the following command in dmz.
[root@dmz]# ssh -f -N -g -R 6606:10.1.1.1:80 [email protected]-f: stands for background running program
-N: means create ssh tunnel using remote port forwarding
-g: monitor all IP addresses of the machine
-R, means create ssh tunnel using remote port forwarding
What does the combination of commands mean? We use the root user to remotely connect to 115.100.100.100, and the remote host listens to port 6606. When accessing this port, it will jump to port 80 of dmz. This process uses an ssh tunnel. After dmz runs, the headquarter server already has port monitoring.
[root@center]# netstat -tunlp | grep 6606
tcp 0 0 127.0.0.1:6606 0.0.0.0:* LISTEN 8616/sshd: root
我们在总部服务器尝试端口提示拒绝,代表网络已经打通了,但是dmz服务器并没有监听80端口,所以报端口拒绝。
[root@center]# telnet 127.0.0.1 6606
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refusedIn the same way, the network from the web server to dmz is reversed. When the dmz server accesses the local port 80, it will jump to port 80 of the web server.
[root@web]# ssh -f -N -g -R 80:10.1.1.1:80 [email protected]Go to the headquarters server again to test access to communicate.
[root@center]# telnet 127.0.0.1 6606
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.We finally review the forwarding process of data packets from a network perspective.
See the following information from the headquarters server.
#dmz服务器以115.100.100.101:29493作源,访问本地22端口,建立了tcp连接。
[root@center]# ss | grep 115.
tcp ESTAB 0 0 172.16.1.1:22 115.100.100.101:29493
[root@center]# netstat -tpna | grep 115.
tcp 0 0 172.16.1.127:22 101.230.91.53:29493 ESTABLISHED 8555/sshd: root#本地端口也对应到了进程号8616[root@center]#netstat -tunlp | grep 6606
tcp 0 0 127.0.0.1:6606 0.0.0.0:* LISTEN 8616/sshd: root[root@center]# ps -ef | grep 8616
root 8616 8555 0 Dec03 ? 00:01:04 sshd: root.When the headquarters server accesses 127.0.0.1:6606, the network connection information is as follows.
双向通道已经建立
[root@center]# ss | grep 6606
tcp ESTAB 0 0 127.0.0.1:6606 127.0.0.1:51158
tcp ESTAB 0 0 127.0.0.1:51158 127.0.0.1:6606We finally use pictures to show the final network forwarding process.
dmz initiates an ssh connection to the headquarters server and forwards the remote port. When the remote server accesses the forwarding port, the data will be encapsulated into the return packet channel. Due to the encryption of ssh itself, the external network cannot know the network interaction logic, thus realizing reverse access.