Three Ways of linux ssh Port Forwarding

ssh is one of the two command-line tools I use most frequently (the other must be vim). With ssh, I can remotely handle all kinds of possible problems without physically going to the scene.

These days, teamviewer was greatly affected by the hacking, so it was thought of intranet penetration by remote control, and naturally thought that ssh port forwarding could also realize intranet penetration. After careful consideration, it is found that ssh tunnel, or port forwarding, has realized three commonly used network functions: forward proxy, reverse proxy and intranet penetration, and admires its powerful functions and convenience in use.

ssh has three port forwarding modes, which are briefly introduced in this article 11.

Local forwarding

Local port forwarding (Local Port Forwarding) is to forward traffic from a port of the local host to a designated port of the remote host. Its command line syntax is:-L [bind_address]: localport: [remote_host]: remote_port. "-L" is the initials of "local", similar remote forwarding "-R" is the initials of "dynamic", and dynamic forwarding "-D" is the initials of "dynamic", which is easy to remember.

Give an example to illustrate the usage scenario of local forwarding.

CentOS 7 Installation GUI Interface and Remote Connection 1 Installation of vnc service and opening of port access are described in this article. In practice, the exposed 59xx port is continuously attacked by automatic scripts every day. If your vnc and login users use weak passwords or dictionary passwords, the security of the host will be greatly threatened. How to protect in this situation?

A simple and safe protection method is to use iptables/firewalld to close the external network access of the port, and use ssh tunnel to forward the port when there is connection demand:

ssh -L5901:5901 username@host

This command forwards the local port 5901 to the remote host's port 5901 through the ssh tunnel. When connecting remotely, enter localhost or ports 127.0. 0.1 and 5901 to connect to the remote host's port 5901. Through the local forwarding of iptables and ssh, the purpose that others can't connect and only themselves can access is realized.

It should be noted that the "remote host" in the "-L" option does not specifically refer to the connected machine (the default is the connected machine), but can be any 1 host. For example, port 8080 traffic from this machine can be forwarded to port 80 of facebook. com:

ssh -L8080:facebook.com:80 username@host

Remote forwarding

Remote port forwarding (Remote Port Forwarding) is to forward a port of the remote host to a designated port of the remote host. The command-line syntax is:-R [bind_address]: port: [local_host]: local_port.

The most common function of remote forwarding is intranet penetration. If there is a host of ip in public network, it can realize intranet penetration by means of remote forwarding of ssh tunnel, and achieve the purpose of accessing intranet resources from external network. It should be noted that ssh remote forwarding can only bind the local address of the remote host by default, that is, 127.0. 0.1. If you want to listen for connections from other hosts, you need to modify the configuration of the remote host ssh, and change "GatewayPorts" to "yes", which will take effect after restarting ssh.

1 example of forwarding remote port 8080 traffic to local port 80web:

ssh -R0.0.0.0:8080:80 username@host

Through remote forwarding, port 8080 accessing the ip host of the public network is port 80 accessing the web host of the intranet, thus realizing intranet penetration.

Dynamic forwarding

Whether forwarding locally or remotely, you need to specify the ports of local and remote hosts. Dynamic Forwarding (Dynamic Port Forwarding) breaks away from this restriction and binds only the local port, with the remote host and port determined by the request initiated. The syntax for dynamic forwarding is: "-D bind_address: port", 1 example of forwarding:

ssh -D 8080 username@host

This command makes ssh monitor the local 8080 port, and the traffic passing through 8080 port is requested by the remote server through ssh tunnel, so as to obtain shielded resources and hide the true identity.

Dynamic forwarding actually realizes the forward proxy function, so it can be used to surf the Internet scientifically. Local forwarding can also be used as a forward proxy, but it is tedious to forward every host and port requested, which will not be used in practice.

Others

From the client's point of view, local forwarding is a forward proxy; From the perspective of resource providers, local forwarding is a reverse proxy; The ssh connection fails when remote forwarding/intranet penetration is disconnected. If you want remote forwarding 1 to be effective, you need ssh to keep alive. It is recommended to use frp and other solutions focusing on intranet penetration; Although the traffic in ssh tunnel has been encrypted, the firewall can intelligently identify the traffic carried in ssh tunnel, so it is easy to be interfered when used as scientific Internet access; If only port forwarding is done, the above commands are often used in combination with the option of "-NT-f" in practice. Among them, the option of "-f" puts the command into the background for execution, and the disconnection requires kill command; From the proxy point of view, ssh tunnel is inefficient, so it is recommended to use special software. The traffic of ssh tunnel has been encrypted, which is 10 points reliable from the security point of view.