You may already be familiar with the ssh command to access the remote system. ssh
Protocol used behind command allows the input and output terminals flows through a secure channel. But you also know that you can use ssh
to safely send and receive other data? One method is to use "port forwarding port forwarding", which allows you performing ssh
safely connect to the network port during the session. This article shows you how it works.
About port
Standard Linux system is assigned a set of network ports, the range 0 - 65535. The system will remain 0 - 1023 for system use. In many systems, you can not choose to use these low-end slogan. There are usually several ports used to run a particular service. In the system you can /etc/services
find the definition file.
You can think of a network port or similar physical port may be connected to a cable jack. Port may be connected to a service on the system, similar to the back wiring physical jack. One example is the Apache Web server (also known as httpd
). Non-secure connection for HTTP, Web servers typically require the use of port 80 on the host system, for secure HTTPS connection 443 is typically required.
When you connect to a remote system (for example, using a Web browser), the browser you are "connected" to the port on your host. This is usually a random high port, such as 54001. Port on your host computer connected to the port (for example, 443) to access their secure Web server on the remote host.
So, when you have so many available ports, port forwarding why use it? This is the case of several common Web developer life.
Local port forwarding
Imagine that you are called remote.example.com
Web development on the remote system. Usually, you are by ssh
entering this system, but it is behind a firewall, and the firewall rarely allow other types of access, and will block most other ports. To try your web application can use a browser to access a remote system would be helpful. However, due to the use of hate firewall, you can not access it by conventional methods, enter the URL in your browser.
Local forwarding so that you can ssh
to build a port accessible via remote system access. This port is shown as a local port on the system (which is called "local forwarding").
Assuming your web application remote.example.com
on port 8000 is running. To the local system port 8000 forwarded to port 8000 on your system, at the start of the session -L
option ssh
in combination:
$ ssh-L 8000:localhost:8000 remote.example.com
And so on, why we use localhost
as a forwarding target? This is because from the remote.example.com
point of view, you are required to use their own host port 8000. (Recall that any host can usually be connected via a network localhost
connected to itself.) Now that you connect to port 8000, the port of the system. ssh
After the session is ready, it remains open, and then you can type in a browser http://localhost:8000
to view your Web application. Now, the traffic between the systems can be ssh
transmitted securely tunnel!
If you have a keen eye, you might have noticed something. If we are to remote.example.com
be forwarded to and localhost
how do different hostnames? If it can be accessed on the network port on another system, you can usually just as easily forward the port. For example, suppose you want to visit are the remote network db.example.com
of MariaDB or MySQL service. The service typically runs on port 3306. So, even if you are not ssh
the actual db.example.com
host, you can also use this command forwards:
$ ssh-L 3306:db.example.com:3306 remote.example.com
Now, you can localhost
run the command MariaDB, and actually use db.example.com
the host.
Remote port forwarding
Remote forward so that you can be vice versa. Imagine you are designing a Web application for the office of a friend, and want to show them your work. But, unfortunately, you work in a coffee shop, and since the network settings, they can not access your laptop via a network connection. But you are also using the office remote.example.com
system, and still can log in here. Your Web applications on the local port 5000 seems to work well.
Remote port forwarding so that you can ssh
connect the tunnel to establish a port from the local system, and make the port available on the remote system. At the beginning of ssh
the session, just use -R
the options:
$ ssh-R 6000:localhost:5000 remote.example.com
Now, when a friend in the company firewall to open the browser, they can access http://remote.example.com:6000
to view your work. As in the local port forwarding example, the communication through ssh
conversation safely.
By default, the sshd
daemon running on the host setting, so that only the host can be connected to its remote port forwarding. Suppose your friends want to let other example.com
people see the company host your work, but they are not remote.example.com
on. You need to let remote.example.com
the owners will host the following one to add to /etc/ssh/sshd_config
the:
GatewayPortsyes#或
GatewayPorts clientspecified
The first option means that remote.example.com
all network interfaces can be used on the remote port forwarding. The second means of tunneling client can select the address. By default, this option is set no
.
With this option, you as ssh
the client must still specify a port forwarding can share your side of the interface. This operation is performed by adding a network address range before the local port. There are several ways to do this, including:
$ ssh-R *:6000:localhost:5000#所有网络
$ ssh-R 0.0.0.0:6000:localhost:5000#所有网络
$ ssh-R 192.168.1.15:6000:localhost:5000#单个网络
$ ssh-R remote.example.com:6000:localhost:5000#单个网络
Other Considerations
Please note that the port number on the local and remote systems need not be identical. In fact, sometimes you may not even use the same port. For example, the average user may not be forwarded to the system port in the default setting.
In addition, restrictions on forwarding hosts. If you need a host on the network more stringent security, then this may be important to you. sshd
Daemon process PermitOpen
option controls whether and which can be used for TCP port forwarding. The default setting is any
, it makes all the examples above are working properly. To prohibit any port forwarding, select none
, or allow only specific "host: port." For more information, search the man page PermitOpen
to configure the sshd
daemon:
$ man sshd_config
Finally, remember that only in ssh
the session in the port forwarding will open. If you need a long time to keep forwarding activities, try using the -N
option to run the session in the background. Make sure that the console is locked to prevent it from being usurped when you leave the console.
via: https://fedoramagazine.org/using-ssh-port-forwarding-on-fedora/