Three ways to forward linux ssh port

ssh is one of the two command line tools I use most frequently (the other has to be vim). With ssh, I can handle various possible problems remotely without having to be on site in person.

The hacking of TeamViewer has had a great impact these days, so I thought of intranet penetration from remote control, and naturally I thought that SSH port forwarding can also achieve intranet penetration. Thinking about it more carefully, I found that ssh tunnel, or port forwarding, actually realizes three commonly used network functions: forward proxy, reverse proxy and intranet penetration. I am even more impressed by its powerful functions and convenience in use.

ssh has three port forwarding modes, which are briefly introduced in this article.

Local forwarding

Local Port Forwarding is to forward the traffic of a port on the local host to a specified port on the remote host. Its command line syntax is: -L [bind_address]:localport:[remote_host]:remote_port. "-L" is the first letter of "local". Similarly, "-R" for remote forwarding is the first letter of "remote", and "-D" for dynamic forwarding is the first letter of "dynamic". They are easy to remember.

Let's take an example to illustrate the usage scenario of local forwarding.

The article CentOS 7 Installation GUI Interface and Remote Connection introduces the installation of vnc service and enabling port access. In practice, the exposed 59xx ports are constantly attacked by automated scripts every day. If your vnc and login users use weak passwords or dictionary passwords, the host security will be greatly threatened. How to protect yourself in this situation?

A simple and safe protection method is to use iptables/firewalld to close the external access of the port, and use ssh tunnel to forward the port when a connection is required:

ssh -L5901:5901 username@host

This command forwards the local port 5901 to the remote host's port 5901 through the ssh tunnel. When connecting remotely, enter localhost or 127.0.0.1 and port 5901 to connect to the remote host's port 5901. Through local forwarding of iptables and ssh, it is possible to achieve the goal that others cannot connect and only you can access it.

It should be noted that the "remote host" in the "-L" option does not specifically refer to the connected machine (the default is the connected machine), it can be any host. For example, you can forward the traffic on port 8080 of your local machine to port 80 of facebook.com:

ssh -L8080:facebook.com:80 username@host

Remote forwarding

Remote Port Forwarding is to forward a port on a remote host to a specified port on the remote host. Its command line syntax is: -R [bind_address]:port:[local_host]:local_port.

The most commonly used function of remote forwarding is intranet penetration. If there is a host with a public IP, it is possible to penetrate the intranet with the help of remote forwarding of the SSH tunnel, so as to access intranet resources from the external network. It should be noted that ssh remote forwarding can only bind to the local address of the remote host, that is, 127.0.0.1, by default. If you want to monitor connections from other hosts, you need to modify the remote host ssh configuration, change "GatewayPorts" to "yes", and restart ssh to take effect.

An example of forwarding remote port 8080 traffic to local port 80web:

ssh -R0.0.0.0:8080:80 username@host

Through remote forwarding, accessing port 8080 of the public IP host is equivalent to accessing port 80 of the intranet web host, thus achieving intranet penetration.

Dynamic forwarding

Whether it is local forwarding or remote forwarding, you need to specify the ports of the local and remote hosts. Dynamic Port Forwarding gets rid of this limitation and only binds the local port. The remote host and port are determined by the request initiated. The syntax for dynamic forwarding is: "-D bind_address:port", a forwarding example:

ssh -D 8080 username@host

This command enables ssh to listen to the local port 8080. All traffic passing through port 8080 is requested by the remote server through the ssh tunnel, thereby achieving the purpose of obtaining blocked resources and hiding the real identity.

Dynamic forwarding actually realizes the forward proxy function, so it can be used to access the Internet scientifically. Local forwarding can also be used as a forward proxy, but it is cumbersome to forward the host and port of each request, so it is not used in practice.

other

1. From the user's perspective, local forwarding is a forward proxy; from the resource provider's perspective, local forwarding is a reverse proxy;
2. If the ssh connection is disconnected, remote forwarding/intranet penetration will become invalid. If you want remote forwarding to be always effective, you need ssh keep-alive technology. It is recommended to use solutions such as frp that focus on intranet penetration.
3. Although the traffic in the ssh tunnel is encrypted, the firewall can identify the traffic carried in the ssh tunnel intelligently, so it is easy to be interfered with when used for scientific Internet access;
4. If only port forwarding is done, the above command is often used in conjunction with the "-NT -f" option in practice. The "-f" option puts the command into the background for execution, and the kill command is required to disconnect;
5. From the proxy perspective, ssh tunneling is inefficient, and dedicated software is recommended;
6. The traffic of the ssh tunnel is encrypted and is very reliable from a security perspective.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.