SSH port forwarding Forwarding and Tunneling

Language 2023-06-12 04:03:14 views: null

Table of contents

overview

Environment and Terminology Conventions

local forwarding

remote forwarding

dynamic forwarding

multi-stage forwarding

overview

         Let's first understand the concept of port forwarding. We know that SSH will automatically encrypt and decrypt all network data between SSH client and server. However, SSH also provides a very useful feature, which is port forwarding. It can forward the network data of other TCP ports through the SSH link, and automatically provide corresponding encryption and decryption services. This process is sometimes called "tunneling" because SSH provides a secure channel for other TCP connections to transmit. For example, TCP applications such as Telnet, SMTP, and Web can all benefit from it, avoiding the clear text transmission of user names, passwords, and private information. At the same time, if the firewall in your working environment restricts the use of some network ports, but allows SSH connections, you can also use SSH for communication by forwarding the TCP port. In general, SSH port forwarding can provide two functions:

  1. Encrypt the communication data between SSH Client and SSH Server to ensure security.
  2. Break through the restrictions of the network, firewall, etc. to complete some TCP connections that could not be established before.

SSH provides a total of 3 types of port forwarding, namely local forwarding (-L parameter) , remote forwarding (-R parameter), and dynamic forwarding (-D parameter). Multi-layer forwarding can also be implemented.

Environment and Terminology Conventions

  • Local host : usually the machine you are currently using;
  • Destination host : is the final destination object that needs to be accessed;
  • Springboard host : The local host and the springboard host can communicate with each other through the network, and at the same time, the springboard host can communicate with the destination host through the network. And the springboard host has enabled the ssh service (default port 22).

local forwarding

Usage scenario : A server ( destination host ) restricts only specific hosts (such as the server itself) to directly connect to applications on this server. If we want to temporarily access this server from another machine ( local host ) due to debugging or testing needs , is there any way to achieve it? Local port forwarding can do it.

Local port forwarding is specified by parameter -L, command format:

ssl -L   [local host bind address:] local host port : destination host: destination host port   User@springboard host

Example: ssh -L  55555 : 192.168.43.203:3000  [email protected]

After executing the above command:

  • You will be prompted to enter the password for ssh login [email protected] . After the login is successful, the listening port 55555 will be enabled on the local host .
  • After successful login, you can access the destination host 192.168.43.203:3000 by accessing port 55555 of the local host . (Here, the destination host serves http service, so you can visit http://localhost:localhost port on the localhost for testing) 
  • The destination host is accessed by the springboard host. If the destination host in the command line writes " localhost ", it means localhost relative to the springboard host, not localhost relative to the local host.
  • The connection between the local host and the springboard host is through the ssl protocol. We must maintain this SSH connection to keep the port forwarding in effect. Once this connection is closed, the corresponding port forwarding is also closed. Port forwarding can only be created at the same time as a newly established SSH connection. You cannot add port forwarding to an existing SSH connection.
  • The localhost bind address defaults to 127.0.0.1, which onlylistens on the localhost 127.0.0.1. If you wantto listen on other network card addresses (for example, all network card addresses of 0.0.0.0) on the local host , you can specify the bind address of the local host in the command line as *.

Differences between local port forwarding and direct access to the destination host (if direct access is allowed):

  1. Security: The local host and the springboard host are connected through the SSL protocol to complete encryption, forwarding, decryption, and communication. Therefore, the transmission between them is safe. If direct access to the remote host is allowed, unless a special security mechanism is added, the default is clear text transmission, which is not safe.
  2. Break through access restrictions:  SSL protocol (default port 22) is used between the local host and the springboard host . It can bypass the firewall and other restrictions of the remote host (for example, the remote host can only allow the server to access locally, or the destination host does not open port 3000 for external access)

remote forwarding

Usage scenario : A server ( destination host ) is in the internal network and cannot be accessed from the outside. The springboard host has a public network IP to connect to the external network, and can also access the internal network. How to access the internal destination host from the outside through the springboard host ? Remote port forwarding can do it.

The remote port forwarding is specified by the parameter -R, the command format is:

ssl -R   [springboard host bind address:] springboard host port : destination host: destination host port   User@springboard host

Example: ssh -R   3389: 192.168.43.203:3389  [email protected]

After executing the above command:

  • You will be prompted to enter the password for ssh login [email protected] . After the login is successful, the 3389 listening port will be enabled on the springboard host .
  • After successful login, you can access the destination host 192.168.43.203:3389 by accessing port 3389 of the springboard host . (Here, the destination host service is port 3389 of the remote desktop, so you can test it by accessing the remote desktop through the mstsc springboard host , or by using the command curl -vv telnet://localhost:springboard host port on the springboard host ). 
  • The destination host is accessed by the springboard host. If the destination host in the command line writes " localhost ", it means localhost relative to the springboard host, not localhost relative to the local host.
  • The connection between the local host (that is, the machine that issued the above command) and the springboard host is through the ssl protocol. We must maintain this SSH connection to keep the port forwarding in effect. Once this connection is closed, the corresponding port forwarding is also closed. Port forwarding can only be created at the same time as a newly established SSH connection. Instead of adding port forwarding to an existing SSH connection
  • The springboard host bind address defaults to 127.0.0.1, and onlylistens on the springboard host port on the springboard host 127.0.0.1 . If you wantto listen on other network card addresses (for example, all network card addresses of 0.0.0.0) on the springboard host , you need to specify the bind address of the springboard host as * in the command line (the prerequisite is to ensure thatthe GatewayPorts attribute in ssh_config on the springboard host is yes, it allows monitoring on other network cards of the springboard host ).

dynamic forwarding

Usage scenario : Both local forwarding and remote forwarding above need to know and specify the address and port of the destination host in advance . However, in scenarios such as proxy Internet access, it is impossible to guide the client to access the URL in advance (and the URL is not fixed), and dynamic forwarding is required at this time. Dynamic forwarding is done through SOCKS4 or SOCKS5 protocol!

Local port forwarding is specified by parameter -D, command format:

ssl -D   [local host bind address:] local host port User@springboard host  

Example: ssh -D  44444  [email protected]

After successfully executing the above command. Set the proxy type in the browser to SOCKS, proxy address: 127.0.0.1, port 4444. You can realize proxy Internet access.

multi-stage forwarding

  • First establish the first layer of forwarding:

Execute the following commands on the client. Forward from the client locally to port 2222 of the springboard host (localhost in the command means localhost relative to the springboard host):

ssh -L 1111 : localhost:2222  userA@springboard host A

  • Then establish the second layer forwarding

Log in to the springboard host A , and then execute the following command on the springboard host A. Forward from the 2222 port of the springboard host A to the destination host through the springboard host B:

ssh -L 2222 : destination host: destination host port  userB@springboard host B

The link forwarded by the above two layers is:

Client port 1111 → (via ssl) port 2222 of springboard host A → (via ssl) springboard host B → destination host

The final effect is: access the client port 1111 to achieve access to the destination host.

Guess you like

Origin blog.csdn.net/zyplanke/article/details/123223960
Recommended
Ranking
SpringBoot-integrate redis
[Sword pointing to offer] Interview question 03: Repeated numbers in an array
Arrangement "Offer Penalty for prove safety" string
Browser prevent the automatic generation of fill and Echo have been saved account solutions
Work hard and never slacken——2022 Yinmai Information Year-End Summary
Install jdk7 on Linux system
App common dependency management tools
EduCoder-Web程序设计基础-html5— 给表单组件添加说明-第1关:label标签相关概念
Machine learning - clustering - density clustering algorithm notes
Ant's large model is exposed, AI+ finance enters the "big model" era
Daily
More
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)

Code World

© 2018 codetd.com