You may already be familiar with the ssh command to access the remote system. sshProtocol used behind command allows the input and output terminals flows through a secure channel. But you also know that you can use sshto safely send and receive other data? One method is to use "port forwarding port forwarding", which allows you performing sshsafely connect to the network port during the session. This article shows you how it works.
About port
Standard Linux system is assigned a set of network ports, the range 0 - 65535. The system will remain 0 - 1023 for system use. In many systems, you can not choose to use these low-end slogan. There are usually several ports used to run a particular service. In the system you can /etc/servicesfind the definition file.
You can think of a network port or similar physical port may be connected to a cable jack. Port may be connected to a service on the system, similar to the back wiring physical jack. One example is the Apache Web server (also known as httpd). Non-secure connection for HTTP, Web servers typically require the use of port 80 on the host system, for secure HTTPS connection 443 is typically required.
When you connect to a remote system (for example, using a Web browser), the browser you are "connected" to the port on your host. This is usually a random high port, such as 54001. Port on your host computer connected to the port (for example, 443) to access their secure Web server on the remote host.
So, when you have so many available ports, port forwarding why use it? This is the case of several common Web developer life.
Local port forwarding
Imagine that you are called remote.example.comWeb development on the remote system. Usually, you are by sshentering this system, but it is behind a firewall, and the firewall rarely allow other types of access, and will block most other ports. To try your web application can use a browser to access a remote system would be helpful. However, due to the use of hate firewall, you can not access it by conventional methods, enter the URL in your browser.
Local forwarding so that you can sshto build a port accessible via remote system access. This port is shown as a local port on the system (which is called "local forwarding").
Assuming your web application remote.example.comon port 8000 is running. To the local system port 8000 forwarded to port 8000 on your system, at the start of the session -Loption sshin combination:
$ ssh-L 8000:localhost:8000 remote.example.com
And so on, why we use localhostas a forwarding target? This is because from the remote.example.compoint of view, you are required to use their own host port 8000. (Recall that any host can usually be connected via a network localhostconnected to itself.) Now that you connect to port 8000, the port of the system. sshAfter the session is ready, it remains open, and then you can type in a browser http://localhost:8000to view your Web application. Now, the traffic between the systems can be sshtransmitted securely tunnel!
If you have a keen eye, you might have noticed something. If we are to remote.example.combe forwarded to and localhosthow do different hostnames? If it can be accessed on the network port on another system, you can usually just as easily forward the port. For example, suppose you want to visit are the remote network db.example.comof MariaDB or MySQL service. The service typically runs on port 3306. So, even if you are not sshthe actual db.example.comhost, you can also use this command forwards:
$ ssh-L 3306:db.example.com:3306 remote.example.com
Now, you can localhostrun the command MariaDB, and actually use db.example.comthe host.
Remote port forwarding
Remote forward so that you can be vice versa. Imagine you are designing a Web application for the office of a friend, and want to show them your work. But, unfortunately, you work in a coffee shop, and since the network settings, they can not access your laptop via a network connection. But you are also using the office remote.example.comsystem, and still can log in here. Your Web applications on the local port 5000 seems to work well.
Remote port forwarding so that you can sshconnect the tunnel to establish a port from the local system, and make the port available on the remote system. At the beginning of sshthe session, just use -Rthe options:
$ ssh-R 6000:localhost:5000 remote.example.com
Now, when a friend in the company firewall to open the browser, they can access http://remote.example.com:6000to view your work. As in the local port forwarding example, the communication through sshconversation safely.
By default, the sshddaemon running on the host setting, so that only the host can be connected to its remote port forwarding. Suppose your friends want to let other example.compeople see the company host your work, but they are not remote.example.comon. You need to let remote.example.comthe owners will host the following one to add to /etc/ssh/sshd_configthe:
GatewayPortsyes#或GatewayPorts clientspecified
The first option means that remote.example.comall network interfaces can be used on the remote port forwarding. The second means of tunneling client can select the address. By default, this option is set no.
With this option, you as sshthe client must still specify a port forwarding can share your side of the interface. This operation is performed by adding a network address range before the local port. There are several ways to do this, including:
$ ssh-R *:6000:localhost:5000#所有网络$ ssh-R 0.0.0.0:6000:localhost:5000#所有网络$ ssh-R 192.168.1.15:6000:localhost:5000#单个网络$ ssh-R remote.example.com:6000:localhost:5000#单个网络
Other Considerations
Please note that the port number on the local and remote systems need not be identical. In fact, sometimes you may not even use the same port. For example, the average user may not be forwarded to the system port in the default setting.
In addition, restrictions on forwarding hosts. If you need a host on the network more stringent security, then this may be important to you. sshdDaemon process PermitOpenoption controls whether and which can be used for TCP port forwarding. The default setting is any, it makes all the examples above are working properly. To prohibit any port forwarding, select none, or allow only specific "host: port." For more information, search the man page PermitOpento configure the sshddaemon:
$ man sshd_config
Finally, remember that only in sshthe session in the port forwarding will open. If you need a long time to keep forwarding activities, try using the -Noption to run the session in the background. Make sure that the console is locked to prevent it from being usurped when you leave the console.
via: https://fedoramagazine.org/using-ssh-port-forwarding-on-fedora/