Goal:
Use SSH from C machine to access A
Description:
C External network device
B Exit device of the server LAN
A A certain device in the server LAN
Solution:
Use machine A as a reverse proxy for machine B; use machine B as a forward proxy for local port forwarding.
Machine B opens two interfaces:
<port_b1>: Provides forwarding from B->A
<port_b2>: Provides forwarding from C->B
| machine code | IP (example) | username | illustrate | solution | explain |
|---|---|---|---|---|---|
| A (target server) | 192.168.100.99 | usr_a | The target server, in the LAN, can access A | ssh -fCNR <port_b1>:localhost:22 [email protected] | <port_b1> is the port on machine B and is used to bind to port 22 on machine A. |
| B (proxy server) | 100.100.100.100 | usr_b | Proxy server, in the external network, cannot access A | ssh -fCNL ‘*:<port_b2>:localhost:<port_b1>’ localhost | <port_b2> is a local forwarding port used to communicate with the external network and forward data to <port_b1> so that it can be accessed from other machines. |
| C (external network equipment) | - | - | B can be accessed directly, but A cannot be accessed directly. | ssh -p <port_b2> [email protected] | <port_b2> is the external interface of B |
For example here:
A-> ssh -CNR 9998:localhost:22 [email protected]
B-> ssh -CNL *:9999:localhost:9998 localhost
C-> ssh -p 9999 [email protected]
The three form C->B, A->B SSH agent forwarding. Use -f to run in the background, change to -fCNR or -fCNL.
Example 1:
A-> ssh -CNR 9998:localhost:22 [email protected]
B-> ssh -CNL *:9999:localhost:9998 localhost
C-> ssh -p 9999 [email protected]
Example 2:
A-> ssh -CNR 19998:localhost:22 [email protected]
B-> ssh -CNL *:19999:localhost:19998 localhost
C-> ssh -p 19999 [email protected]
| SSH parameters explained | explain |
|---|---|
| -f | Background process |
| -C | Allow compressed data |
| -N | Do not execute any commands |
| -R | Bind port to remote server, reverse proxy |
| -L | Bind port to local client, forward proxy |