Realization of Intranet Penetration by SSH Port Forwarding

  • 2021-07-06 12:12:05
  • OfStack

Our LAN machines can access the external network, but the external network cannot access the internal network. Because the intranet can determine the address of the extranet when accessing the Internet, the extranet cannot determine the specific address in our LAN. (ip address is limited) If this link keeps him constant when we visit the external network, then this link is equivalent to building a road, in which the internal network data can go out and the external network data can come in, and ssh is also this method.

Use ssh command to link to public network server

1. First, edit the configuration file of sshd on the external network server


vim /etc/ssh/sshd_config
# Will GatewayPorts  Switch on 
GatewayPorts yes
 Restart sshd Service, using modifications to take effect ( linux  Commands may vary from version to version) 
systemctl restart sshd 

2. Commands


ssh -NTf -R <local-host>:<local-port>:<remote -host>:<remote-port> user@host

local-host  Can be omitted 
 For example: ssh -NTf -R 8888:127.0.0.1:8080 root@host

3. Parameter description

-C allows compression of data
-f running in the background
-N means that only remote hosts are connected, and remote shell is not opened
-R binds ports to remote servers, reverse proxies
-L Bind port to local client, forward proxy
-T Do not assign TTY to this connection
-NT means that this SSH connection is only used to transfer data and does not perform remote operations

Keep the ssh link open

Usually, when we use ssh linked server, if we don't operate for a long time, this link will be closed.

Method 1. Set up the client

1) User-level settings


vim ~/.ssh/config (If not config Create 1 A) 

2) Global settings


/etc/ssh/ssh_config

Select one of them and add the following parameters


# Every interval 60 Send to the server in seconds 1 Empty packets 
ServerAliveInterval 60
# If you disconnect without success more than two times 
ServerAliveCountMax 2
# Exit after forwarding failure, which is convenient to rebuild the connection 
ExitOnForwardFailure yes 

Temporary writing (recommended, does not affect others)


ssh -o ServerAliveInterval=30 root@host
ssh -NTf -R 8888:127.0.0.1:8080 root@host -o ServerAliveInterval=30 -o ServerAliveCountMax=2

Method 2. Set up the server side


vim /etc/ssh/sshd_config
# Every interval 30 Seconds, the server sends a heartbeat to the client 
ClientAliveInterval 30
#3 After the second heartbeat does not respond, you will think that Client Disconnected 
ClientAliveCountMax 3

Method 3. Use the shell script


touch myAutoSSH.sh
 Because I set up ssh Connection is rsa Secret-free authentication, so the logic here does not need a password  

ssh secret-free login method


while(1)
do
  ssh -NTR <local-host>:<local-port>:<remote -host>:<remote-port> user@host
done

Ensure that it can be connected immediately after disconnection. Remove the-f parameter otherwise it will be dead loop

Method 4. Use autossh

Need to download autossh software, operation and direct use of ssh similar

-M is a listening port, listening to whether the command has no response, help us keep the link


autossh -M 5678 -NTR <local-host>:<local-port>:<remote-host>:<remote-port> user@host

I do not like downloading software-messy 78 bad software installed a lot, also do not like to modify the configuration-modified after fear of affecting others to use, so I like to use the client temporary configuration


Related articles: