Linux上的SSH端口转发

Port forwarding (or tunnelling) is a method to forward one network traffic to another. We will introduce how to forward ports using SSH tunnel in this post.

端口转发（或隧道）是一种将一个网络流量转发到另一个网络流量的方法。 在本文中，我们将介绍如何使用SSH隧道转发端口。

一个简单的例子 (A simple example)

Let’s start with a simple and useful example: we want to forward local port 8080 to server:port. We can easily do this by using ssh like this:

让我们从一个简单而有用的示例开始：我们要将本地端口8080转发到server：port。 我们可以这样使用ssh轻松地做到这一点：

ssh -L 8080:server:port username@ssh_server

ssh_server is the sshd server that we can use. Then connection to 127.0.0.1:8080 will be automatically forwarded to server:port.

ssh_server是我们可以使用的sshd服务器。 然后，与127.0.0.1:8080的连接将自动转发到server：port。

转发端口 (Port forwarding)

Port forwarding (or tunnelling) is a method to forward one network traffic to another. For example, there are three servers s1, s2, s3 and one client c0. There is a ssh tunnel between s1 and s2. When c0 sends a packet to s1′s port p1, the packet can be forwarded through the traffic through the tunnel between s1 and s2 and will arrives s3′s port p3. The packet of the opposite direction follows the opposite way. That is:

端口转发（或隧道）是一种将一个网络流量转发到另一个网络流量的方法。 例如，有三个服务器s1，s2，s3和一个客户端c0。 s1和s2之间有一条SSH隧道。 当c0将数据包发送到s1的端口p1时，该数据包可以通过s1和s2之间的隧道通过流量转发，并将到达s3的端口p3。 相反方向的小包则遵循相反的方式。 那是：

c0:p0 <--> s1:p1~s1:p1' <==> s2:p2~s2:p2' <--> s3:p3

From c0′s view, it connect to s1′s port p1, but actually, the service is provided through s3′s port p3. If c0 is the user or the client of the service, then the ssh security tunnel will exist between s1 and s2. This will be very useful. For example, we can use this method to secure the insecure network such as SMTP, HTTP, POP3, etc. If c0 and s1 are in the secure local network area and s2 and s3 are in another secure local network area, while the two local network area are connected through the insecure internet. The connection between the client c0 and the application sever s3 is insecure. Then we can create the ssh tunnel between s1 and s2. The tunnel is encrypted and secure. So s3′s service can be provided to client c0 in a secure way as the traffic in the insecure network is encrypted. This is a method to secure an “insecure” connection, of course, with the cost of encryption and decryption.

从c0的角度来看，它连接到s1的端口p1，但是实际上，服务是通过s3的端口p3提供的。 如果c0是服务的用户或客户端，则ssh安全隧道将存在于s1和s2之间。 这将非常有用。 例如，我们可以使用此方法来保护不安全的网络，例如SMTP，HTTP，POP3等。如果c0和s1位于安全的本地网络区域中，而s2和s3位于另一个安全的本地网络区域中，而两个本地网络区域通过不安全的互联网连接。 客户端c0和应用程序服务器s3之间的连接不安全。 然后，我们可以在s1和s2之间创建ssh隧道。 隧道已加密且安全。 因此，由于对不安全网络中的流量进行了加密，因此可以以安全的方式将s3的服务提供给客户端c0。 当然，这是一种以加密和解密为代价来保护“不安全”连接的方法。

We do not need to have exactly four server/clients. c0 and s1 can be the same server and c0 can just connect to the localhost which is itself. It the same for s2 and s3. So there may be two, three or four server/clients in this system. Only one server will also work, but it’s actually useless. An usual way of using this is that c0 and s1 is the same server. After the tunnel has been set up, c0 will use the forwarding port on localhost itself .

我们不需要完全有四个服务器/客户端。 c0和s1可以是同一台服务器，而c0可以直接连接到本地主机 。 s2和s3相同。 因此，此系统中可能有两个，三个或四个服务器/客户端。 只有一台服务器也可以工作，但是实际上没有用。 通常的使用方式是c0和s1是同一台服务器。 设置完隧道后，c0将使用localhost本身上的转发端口 。

Either s1 or s2 can be the sshd server for the ssh tunnel. So there are two kinds of port forwarding: Local forwarding and Remote forwarding.

s1或s2可以是ssh隧道的sshd服务器。 因此，端口转发有两种：本地转发和远程转发。

本地转发 (Local forwarding)

Another name of local forwarding is outgoing tunnel. s2 is the sshd server of this ssh tunnel, while s1 is the ssh client. From the view of s1, the tunnel is outgong and it is listening on the local port. So it is called “local” forwarding or “outgoing” tunnel.

本地转发的另一个名称是传出隧道。 s2是此ssh隧道的sshd服务器，而s1是ssh客户端。 从s1的角度看，隧道是outgong，正在本地端口上侦听。 因此，它称为“本地”转发或“传出”隧道。

We also use the previous example that we want to port forwards port p1 of s1 to port p3 of s3. The method is using this command on s1:

我们还使用前面的示例，我们想要将端口s1的端口p1转发到s3的端口p3。 该方法在s1上使用以下命令：

ssh -L p1:s3:p3 username@s2

sshd usually listens on port 22 which is p2 here. If sshd’s service port is not the normal one 22, then add the -p p2 argument to ssh. When a packet is received on port p1 by s1, s1 sends this packet through the tunnel between s2 and itself, then s2 will send this packet to s3:p3.

sshd通常在端口22（这里是p2）上监听。 如果sshd的服务端口不是正常的22，则将-p p2参数添加到ssh。 当s1在端口p1上接收到一个数据包时，s1通过s2与它本身之间的隧道发送此数据包，然后s2将把该数据包发送到s3：p3。

远程转发 (Remote forwarding)

Or incoming tunnel. In this case, s1 is the sshd server and s2 is the ssh client. From the ssh client s2′s view, the remote side (s1) listens on the port and forwarding packet through the tunnel. The ssh client gets incoming packet through the tunnel.
The method is using this command on s2:

或传入的隧道。 在这种情况下，s1是sshd服务器，s2是ssh客户端。 从ssh客户端s2的角度来看，远端（s1）侦听端口并通过隧道转发数据包。 ssh客户端通过隧道获取传入的数据包。
该方法在s2上使用以下命令：

ssh -R p1:s3:p3 username@s1

The packet to s1:p1 will be forwarded to s3:p3 through the tunnel as the local forwarding. This is useful especially when s1 and s3 are behind a firewall that does not allow opening any port. This method provides a way to remote control a machine behind the firewall. We can also see that even with a strict firewall, the protected local area network can also be controlled remotely.

到s1：p1的数据包将通过隧道作为本地转发转发到s3：p3。 这在s1和s3位于不允许打开任何端口的防火墙后面时特别有用。 此方法提供了一种对防火墙后面的计算机进行远程控制的方法。 我们还可以看到，即使使用严格的防火墙，也可以远程控制受保护的局域网。

ssh is a user space application, and the performance of port forwarding is not as good as some other approach such as iptables. But ssh tunnel is easy to set up even without root privilege granted to the user, which make it a very convenient tool on Linux/Unix systems.

ssh是一个用户空间应用程序，端口转发的性能不如iptables之类的其他方法好。 但是，即使没有授予用户root特权，ssh隧道也很容易设置，这使其成为Linux / Unix系统上非常方便的工具。

sshd配置 (sshd configuration)

GatewayPorts should be “yes” in /etc/ssh/sshd_config on sshd server if remote forwarding is enabled for machine c0.

如果为计算机c0启用了远程转发，则sshd服务器上的/ etc / ssh / sshd_config中的GatewayPorts应该为“ yes”。

GatewayPorts:
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be “no to force remote port forwardings to be available to the local host only, “yes to force remote port forwardings to bind to the wildcard address, or “clientspecified to allow the client to select the address to which the forwarding is bound. The default is “no”.

网关端口：
指定是否允许远程主机连接到为客户端转发的端口。 缺省情况下，sshd将远程端口转发绑定到环回地址。 这样可以防止其他远程主机连接到转发的端口。 可以使用GatewayPorts指定sshd应该允许远程端口转发绑定到非环回地址，从而允许其他主机进行连接。 该参数可以是“否以强制远程端口转发仅对本地主机可用”，是以强制远程端口转发绑定到通配符地址，或“客户端指定以允许客户端选择转发到的地址”界。 默认为“否”。

“动态”端口转发 (“Dynamic” port forwarding)

SSH can be use for local “dynamic” application-level port forwarding. ssh will act as a SOCKS server. Please refer to Proxy Using SSH Tunnel for more details.

SSH可用于本地“动态”应用程序级端口转发。 ssh将充当SOCKS服务器。 有关更多详细信息，请参考使用SSH隧道的代理 。

翻译自: https://www.systutorials.com/port-forwarding-using-ssh-tunnel/