ssh (secure shell) is a protocol for encrypted and secure transmission of data. Using the ssh tool, it is very convenient to log in to the host that provides the ssh service remotely, and it is also very convenient to transfer files. Port forwarding is possible with ssh tunnel, which establishes an encrypted channel over the ssh connection. After the ssh tunnel is created, you can break through some network restrictions to access resources that cannot be directly accessed.
There are three types of ssh tunnels, local (L), remote (R) and dynamic (D). Some simple examples are given below. Suppose the local IP is l1.l2.l3.l4, and the IP of a remote ssh host is r1.r2.r3.r4.
Local port mapping (L)Possible use: The local machine cannot access a website such as www.twitter.com, but the remote machine can. You can connect to this remote machine from your local machine. Now hopefully www.twitter.com is available locally.
Execute a command on the remote host (or log in)
ssh -NfL r1.r2.r3.r4:8086:www.twitter.com:80 r1.r2.r3.r4
Map the twitter.com web service port 80 to the remote machine.
and then access it on the local machine
http://r1.r2.r3.r4:8086
Access to twitter.com can be achieved.
If the following command is executed on the remote host
ssh -NfL 8086:www.twitter.com:80 r1.r2.r3.r4
Then you cannot access port 8086 of the remote host locally. At this time, only http://localhost:8086 can be accessed on the remote host. No practical significance.
Remote Port Mapping (R)Possible use: You need to ssh to connect to the school or company's ssh host when you are home or away, but you are not allowed to do so due to gateways and other reasons. However, you can connect from your school or company to your home or other server on the extranet.
Execute on localhost at school or company
ssh -NfR 8086:localhost:22 r1.r2.r3.r4
Map the local ssh service port to port 8086 of the remote machine.
When you go home or go out, log in to the remote machine first, and use the command
ssh -p 8086 localhost
It can realize ssh connection to the company or school intranet machine.
Dynamic Port Mapping (D)Possible use: Some resources cannot be accessed by the local machine due to factors such as firewalls, but the remote ssh host can. You can ssh from local to that remote host. At this time, you want to use the remote host as a proxy to facilitate local network access, because the local port mapping introduced first can only access the specified individual websites.
Execute the command locally
ssh -NfD 8086 r1.r2.r3.r4
In this way, a Socket proxy machine is established, and then the Socket proxy is set on the browser: the address is localhost, and the port is 8086. From now on, your access is encrypted, and you go to the remote host, the IP becomes the IP of the remote host, and some resources that cannot be directly accessed can be accessed through this proxy.
Such a proxy is called an ssh tunnel proxy. In order to use ssh tunnel proxy more conveniently, you need to make ssh login password-free, ssh automatically log in, and the browser automatically selects the proxy according to the rules. These are detailed in the previous article Simple ssh proxy and wall penetration under Linux . If there is no ssh account available, you can apply for it at cjb.net.
Some notes on ports- Ports 1-1023 can only be opened by root. Free ports greater than 1023 can be used.
- command can be used
lsof -i:8086
Check the usage of specific port 8086.
SFTP (SSH File Transfer Protocol) is literally the ftp file transfer protocol based on ssh. It is more secure than the general ftp transmission protocol. Because it is based on ssh, the server that provides sftp has ssh service available, even if the ssh interface is disabled. When using ssh tunnel proxy for socket proxy, we don't need an interactive interface at all. So you can also use the sftp server to implement the proxy. The method is the same as in the article Simple ssh agent and wall penetration under Linux , just use ssh to log in without interaction.
The general C-panel space has at least sftp service. The port of the sftp service found in the control panel is the port of the ssh service. Then you can implement ssh tunnel proxy.