Realization of Intranet Penetration by SSH Port Forwarding
- 2021-07-06 12:12:05
- OfStack
Our LAN machines can access the external network, but the external network cannot access the internal network. Because the intranet can determine the address of the extranet when accessing the Internet, the extranet cannot determine the specific address in our LAN. (ip address is limited) If this link keeps him constant when we visit the external network, then this link is equivalent to building a road, in which the internal network data can go out and the external network data can come in, and ssh is also this method.
Use ssh command to link to public network server
1. First, edit the configuration file of sshd on the external network server
vim /etc/ssh/sshd_config
# Will GatewayPorts Switch on
GatewayPorts yes
Restart sshd Service, using modifications to take effect ( linux Commands may vary from version to version)
systemctl restart sshd
2. Commands
ssh -NTf -R <local-host>:<local-port>:<remote -host>:<remote-port> user@host
local-host Can be omitted
For example: ssh -NTf -R 8888:127.0.0.1:8080 root@host
3. Parameter description
-C allows compression of data
-f running in the background
-N means that only remote hosts are connected, and remote shell is not opened
-R binds ports to remote servers, reverse proxies
-L Bind port to local client, forward proxy
-T Do not assign TTY to this connection
-NT means that this SSH connection is only used to transfer data and does not perform remote operations
Keep the ssh link open
Usually, when we use ssh linked server, if we don't operate for a long time, this link will be closed.
Method 1. Set up the client
1) User-level settings
vim ~/.ssh/config (If not config Create 1 A)
2) Global settings
/etc/ssh/ssh_config
Select one of them and add the following parameters
# Every interval 60 Send to the server in seconds 1 Empty packets
ServerAliveInterval 60
# If you disconnect without success more than two times
ServerAliveCountMax 2
# Exit after forwarding failure, which is convenient to rebuild the connection
ExitOnForwardFailure yes
Temporary writing (recommended, does not affect others)
ssh -o ServerAliveInterval=30 root@host
ssh -NTf -R 8888:127.0.0.1:8080 root@host -o ServerAliveInterval=30 -o ServerAliveCountMax=2
Method 2. Set up the server side
vim /etc/ssh/sshd_config
# Every interval 30 Seconds, the server sends a heartbeat to the client
ClientAliveInterval 30
#3 After the second heartbeat does not respond, you will think that Client Disconnected
ClientAliveCountMax 3
Method 3. Use the shell script
touch myAutoSSH.sh
Because I set up ssh Connection is rsa Secret-free authentication, so the logic here does not need a password
ssh secret-free login method
while(1)
do
ssh -NTR <local-host>:<local-port>:<remote -host>:<remote-port> user@host
done
Ensure that it can be connected immediately after disconnection. Remove the-f parameter otherwise it will be dead loop
Method 4. Use autossh
Need to download autossh software, operation and direct use of ssh similar
-M is a listening port, listening to whether the command has no response, help us keep the link
autossh -M 5678 -NTR <local-host>:<local-port>:<remote-host>:<remote-port> user@host
I do not like downloading software-messy 78 bad software installed a lot, also do not like to modify the configuration-modified after fear of affecting others to use, so I like to use the client temporary configuration