1. SSH 本地端口转发
SSH 会自动加密和解密所有 SSH 客户端与服务端之间的网络数据。但是,SSH 还能够将其他 TCP 端口的网络数据通过 SSH 链接来转发,并且自动提供了相应的加密及解密服务。这一过程也被叫做“隧道”(tunneling),这是因为 SSH 为其他 TCP 链接提供了一个安全的通道来进行传输而得名。例如,Telnet,SMTP,LDAP 这些 TCP 应用均能够从中得益,避免了用户名,密M以及隐私信息的明文传输。而与此同时,如果工作环境中的防火墙限制了一些网络端口的使用,但是允许 SSH 的连接,也能够通过将 TCP 端口转发来使用 SSH 进行通讯
SSH 端口转发能够提供两大功能:
加密 SSH Client 端至 SSH Server 端之间的通讯数据
突破防火墙的限制完成一些之前无法建立的 TCP 连接
SSH本地端口转发
ssh -L localport:remotehost:remotehostport sshserver
[root@c7-177 ~]# rpm -q telnet-server
telnet-server-0.17-66.el7.x86_64
[root@c7-177 ~]# systemctl enable --now telnet.socket
[root@c7-177 ~]# lsof -i:23
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 42u IPv6 24454 0t0 TCP *:telnet (LISTEN)
[root@c7-187 ~]# telnet 10.0.0.177
Trying 10.0.0.177...
Connected to 10.0.0.177.
Escape character is '^]'.
Kernel 3.10.0-327.el7.x86_64 on an x86_64
c7-177 login: wang
Password:
Last login: Wed Jan 5 05:19:05 from ::ffff:10.0.0.187
[wang@c7-177 ~]$ exitConnection closed by foreign host.
[root@c7-187 ~]#
[root@c7-177 ~]# iptables -A INPUT -s 10.0.0.187 -j REJECT
[root@c7-187 ~]# telnet 10.0.0.177
Trying 10.0.0.177...
telnet: connect to address 10.0.0.177: Connection refused
[root@c7-187 ~]# ssh -fNL 9527:10.0.0.177:23 10.0.0.197
The authenticity of host '10.0.0.197 (10.0.0.197)' can't be established.
ECDSA key fingerprint is 05:1d:70:49:08:a8:2c:83:6c:3d:7f:f5:26:b1:41:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.197' (ECDSA) to the list of known hosts.
root@10.0.0.197's password:
[root@c7-187 ~]#
[root@c7-187 ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:9527 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 ::1:9527 :::*
LISTEN 0 100 ::1:25 :::*
[root@c7-187 ~]#
[root@c7-187 ~]# telnet 127.0.0.1 9527
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Kernel 3.10.0-327.el7.x86_64 on an x86_64
c7-177 login: wang
Password:
Last login: Wed Jan 5 05:19:19 from ::ffff:10.0.0.187
[wang@c7-177 ~]$
[root@c7-177 ~]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 52 10.0.0.177:22 10.0.0.1:50804
ESTAB 0 0 ::ffff:10.0.0.177:23 ::ffff:10.0.0.197:48808
[root@c7-197 ~]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.0.197:41230 10.0.0.187:22
ESTAB 0 0 10.0.0.197:22 10.0.0.1:51382
ESTAB 0 0 10.0.0.197:48808 10.0.0.177:23
ESTAB 0 0 10.0.0.197:22 10.0.0.187:43687
[root@c7-197 ~]#
[root@c7-187 ~]# ssh -fNL 6666:10.0.0.177:80 10.0.0.197
root@10.0.0.197's password:
[root@c7-187 ~]#
[root@c7-187 ~]# curl 127.0.0.1:6666
10.0.0.177_webserver
选项:
-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能
ssh –L 9527:telnetsrv:23 -Nfg sshsrv
telnet 127.0.0.1 9527
[root@centos8 ~]#ssh -fNL 9527:10.0.0.28:80 10.0.0.18
[root@centos8 ~]#curl 127.0.0.1:9527
2. SSH 远程端口转发
[root@c7-177 ~]# curl 10.0.0.177
10.0.0.177_webserver
[root@c7-177 ~]#
[root@c7-177 ~]# iptables -A INPUT -s 10.0.0.187 -j REJECT
[root@c7-187 ~]# curl 10.0.0.177
curl: (7) Failed connect to 10.0.0.177:80; Connection refused
[root@c7-187 ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@c7-197 ~]# ssh -fNR 9527:10.0.0.177:80 10.0.0.187
root@10.0.0.187's password:
[root@c7-197 ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.0.197:22 10.0.0.1:53036
ESTAB 0 0 10.0.0.197:46959 10.0.0.187:22
[root@c7-197 ~]#
[root@c7-187 ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:9527 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 ::1:9527 :::*
LISTEN 0 100 ::1:25 :::*
[root@c7-187 ~]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.0.187:22 10.0.0.197:46959
ESTAB 0 52 10.0.0.187:22 10.0.0.1:53684
[root@c7-187 ~]#
[root@c7-187 ~]# curl 127.0.0.1:9527
10.0.0.177_webserver
[root@c7-187 ~]#
ssh -R sshserverport:remotehost:remotehostport sshserver
#让sshsrv侦听9527端口的访问,如有访问,就加密后通过ssh服务转发请求到本机ssh客户端,再由本机解密后转发到telnetsrv:23
#Data<-->sshsrv:9527<-->sshsrv:22<-->localhost:XXXXX<-->localhost:YYYYY<-- >telnetsrv:23
ssh –R 9527:telnetsrv:23 –Nf sshsrv
远程端口转发并实现网关功能
[root@c7-197 ~]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 52 10.0.0.197:22 10.0.0.1:53036
ESTAB 0 0 10.0.0.197:46959 10.0.0.187:22
[root@c7-197 ~]# killall ssh
[root@c7-197 ~]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 52 10.0.0.197:22 10.0.0.1:53036
[root@c7-197 ~]#
[root@c7-187 ~]# curl 127.0.0.1:9527
curl: (7) Failed connect to 127.0.0.1:9527; Connection refused
[root@c7-187 ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@c7-187 ~]# grep Gate /etc/ssh/sshd_config
GatewayPorts yes
[root@c7-187 ~]# systemctl restart sshd
[root@c7-197 ~]# ssh -fNgR 9527:10.0.0.177:80 10.0.0.187
root@10.0.0.187's password:
[root@c7-197 ~]#
[root@c7-167 ~]# curl 10.0.0.187:9527
10.0.0.177_webserver
3. SSH动态端口转发
[root@c7-177 ~]#
[root@c7-177 ~]# iptables -A INPUT -s 10.0.0.187 -j REJECT
[root@c7-187 ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@c7-187 ~]# ssh -fND 9527 10.0.0.197
root@10.0.0.197's password:
[root@c7-187 ~]#
[root@c7-187 ~]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.0.187:50977 10.0.0.197:22
ESTAB 0 52 10.0.0.187:22 10.0.0.1:57248
[root@c7-187 ~]# yum install firefox -y
[root@c7-187 ~]# export DISPLAY=10.0.0.1:0.0
[root@c7-187 ~]# firefox
linux 主机作为网关,Windows借助Linux来访问
[root@c7-177 ~]# iptables -A INPUT -s 10.0.0.1 -p tcp --dport 80 -j REJECT
LISTEN 0 100 ::1:25 :::*
[root@c7-187 ~]# ps aux |grep ssh
root 1310 0.0 0.3 82544 3596 ? Ss 08:04 0:00 /usr/sbin/sshd -D
root 2433 0.0 0.5 143464 5500 ? Ss 08:04 0:00 sshd: root@pts/0
root 2627 0.0 0.1 76096 1348 ? Ss 08:15 0:00 ssh -fND 9527 10.0.0.197
root 3961 0.0 0.5 143812 5592 ? Ss 08:22 0:00 sshd: root@pts/1
root 4370 0.0 0.0 112644 948 pts/0 R+ 08:47 0:00 grep --color=auto ssh
[root@c7-187 ~]# killall ssh
[root@c7-187 ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 52 10.0.0.187:22 10.0.0.1:57248
ESTAB 0 0 10.0.0.187:22 10.0.0.1:57984
[root@c7-187 ~]#
[root@c7-187 ~]# ssh -gfND 9527 10.0.0.197
root@10.0.0.197's password:
[root@c7-187 ~]# ss -ntl #此时的9527是面向的所有人
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:9527 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 :::9527 :::*
LISTEN 0 100 ::1:25 :::*
[root@c7-187 ~]#
自己作为网关,自己连接自己
[root@c7-187 ~]# killall ssh
[root@c7-187 ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 52 10.0.0.187:22 10.0.0.1:57248
ESTAB 0 0 10.0.0.187:22 10.0.0.1:57984
[root@c7-187 ~]# ssh -gfND 9527 10.0.0.187
root@10.0.0.187's password:
[root@c7-187 ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:9527 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 :::9527 :::*
LISTEN 0 100 ::1:25 :::*
[root@c7-187 ~]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.0.187:35858 10.0.0.187:22
ESTAB 0 0 10.0.0.187:22 10.0.0.187:35858
ESTAB 0 0 10.0.0.187:22 10.0.0.1:65501
ESTAB 0 52 10.0.0.187:22 10.0.0.1:65500
[root@c7-177 ~]# iptables -A INPUT -s 10.0.0.1 -p tcp --dport 80 -j REJECT
[root@c7-177 ~]# iptables -A INPUT -s 10.0.0.167 -p tcp --dport 80 -j REJECT
[root@c7-167 ~]# curl 10.0.0.177
curl: (7) Failed connect to 10.0.0.177:80; Connection refused
[root@c7-167 ~]# curl --socks5 10.0.0.187:9527 http://10.0.0.177
10.0.0.177_webserver
