Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "introduction to the method of SSH port forwarding configuration under Linux". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Usually, some specific ports are always open for communication between two different networks, and Port 22 used by SSH is usually among them. SSH-based port forwarding is to use SSH as the intermediate proxy to bypass the restrictions between the two networks and smoothly access any port.

Port forwarding can be divided into three types: forward port forwarding, reverse port forwarding and dynamic port forwarding.

In order to demonstrate the use of these three port forwarding methods, let's first assume that there are two domains Office and Prod, two hosts An and B in the domain Office, and two hosts C and D in the domain Prod. All access between these two domains is prohibited by network rules except that host A can access port 22 of C, that is to say, machine A cannot access all ports except 22 of C. Also unable to access the D host Hosts C and D simply cannot access any of the hosts An or B.

Top Task 1: forward Port forwarding

Now let's start our first task: suppose there is a database service installed on host D and the listening port is 8888. What if I want to access the database in host D directly through host An in the Office domain? This is about to use the forward port function of SSH. First of all, I would like to explain that in Linux, all port forwarding operations can be done by using the built-in tool ssh.

The command to complete Task 1 is simple, as follows:

The code is as follows:

Ssh-L 8000:host-d.prod.mycompany.com:8888 oracle@host-c.prod.mycompany.com-N

Now explain the above command:

Parameter-L

Indicates the port on which listening is enabled locally, followed by the parameter format::, which forwards the local port 8000 to port 8888 of the remote host D.

Orainst@host-c.prod.mycompany.com

This parameter specifies the host to log in using ssh and the user name of the login. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.

Parameter-N

Do not execute remote commands. This parameter is optional here.

Now enter the correct password after running the above command on host A, and then let's log in to host A to check the status of the current port:

The code is as follows:

Oracle@host-a [orcl]: ~ $netstat-natp | grep 8000

(Not all processes could be identified, non-owned process info

Will not be shown, you would have to be root to see it all.)

Tcp 00 127.0.0.1 8000 0.0.0.0 * LISTEN 3767/ssh

Tcp 00:: 1 tcp 8000: * LISTEN 3767/ssh

You can see that port 8000 on host An is ready to accept connections at any time, but it should be noted that the listening network here is 127.0.0.1 (:: 1), that is, this connection is limited to local operations.

The next step is to configure TNSNAMES, as follows:

The code is as follows:

Orcl=

(DESCRIPTION=

(ENABLE=BROKEN)

(ADDRESS_LIST=

(FAILOVER=ON)

(LOAD_BALANCE=YES)

(ADDRESS= (PROTOCOL=TCP) (HOST=localhost) (PORT=8000))

)

(CONNECT_DATA=

(SID=orcl)

)

)

Then tnsping tested it:

The code is as follows:

Oracle@host-a [orcl]: ~ $tnsping orcl

TNS Ping Utility for Linux: Version 11.1.0.7.0-Production on 05-JUL-2010 09:13:25

Copyright (c) 1997, 2008, Oracle. All rights reserved.

Used parameter files:

Used TNSNAMES adapter to resolve the alias

Attempting to contact (DESCRIPTION= (ENABLE=BROKEN) (ADDRESS_LIST= (FAILOVER=ON) (LOAD_BALANCE=YES) (ADDRESS= (PROTOCOL=TCP) (HOST=localhost) (PORT=8000) (CONNECT_DATA= (SID=orcl)

OK (340 msec)

The great task has been completed.

Top Task 2: reverse Port Forwardin

Because the domain Prod cannot access the domain Office in any way, assuming that the physical locations of the two domains are completely different, what if you want to operate host An in the domain Office when you are in the domain Prod that day? It's time to use reverse port forwarding.

The basic idea of reverse port forwarding is to establish a ssh connection from host A to host C while opening a port on host C to reverse connect to a port on host B. of course, from the perspective of host control, it is most affordable to connect to 22 (ssh port) of host B. what we need to do now is to run the following command on host A:

The code is as follows:

Ssh-R 8888:localhosthost-b.office.mycompany.com:22 oracle@host-c.prod.mycompany.com-N

Similarly, explain the above command first:

Parameter-R

Create a reverse port forwarding, followed by the parameter format::, where the listening port is 8888, and the reverse connection is to port 22 of host B, which was originally inaccessible to the C host.

Oracle@host-c.prod.mycompany.com

This parameter specifies the host to log in using ssh and the user name of the login. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.

Parameter-N

Do not execute remote commands. This parameter is optional here.

After successfully executing the above command on host A, you can log in to host C to check the effect. The first step is to check the development status of port 8888:

The code is as follows:

Oracle@host-c:~$ netstat-natp | grep 8888

(No info could be read for "- p": geteuid () = 1001 but you should be root.)

Tcp 0 0127.0.0.1 8888 0.0.0.0 * LISTEN-

Tcp6 0 0:: 1 8888: * LISTEN-

Then test the availability of the port and execute the following command:

The code is as follows:

Oracle@host-c:~$ ssh-p 8888 oracle@localhost

Password:

Last login: Mon Jul 5 02:34:50 2010 from 172.24.43.103

Oracle@host-b.office$ hostname

Host-b.office.mycompany.com

Oracle@host-b.office$

So far, a connection that would have been completely impossible has been successfully established using the only open ssh port. This method is very useful, and it depends on everyone's play when it is used.

Task 3 of top: dynamic port forwarding

Dynamic port forwarding actually establishes a ssh encrypted SOCKS4/5 proxy channel, which can be used by any program that supports SOCKS4/5 protocol for proxy access. Now the most common place of this method is to climb over the wall, and the method is also very simple. The command is as follows:

The code is as follows:

Ssh-D 8888 username@proxyhost.mycompany.com-N

The command explains:

Parameter-D

Establish a dynamic SOCKS4/5 proxy channel, followed by the port number of the local listener.

Username@proxyhost.mycompany.com

This parameter specifies the host to log in using ssh and the user name of the login. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.

Parameter-N

Do not execute remote commands. This parameter is optional here.

Since this method is not helpful to the office, I won't say any more.

This is the end of the introduction of the method of SSH port forwarding configuration under Linux. Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.