SSH多种端口转发
lanserver:10.0.0.130
sshserver:10.0.0.129
internet:10.0.0.128
yum -y install psmisc #killall安装包
ssh本地端口转发
实验需关闭防火墙
lanserver:yum -y install telnet-server #安装telnet服务
systemctl enable --now telnet.socket #启动telnet服务 23端口
iptables -A INPUT -s 10.0.0.128 -j REJECT #对internet添加防火墙策略
[root@internet ~]#telnet 10.0.0.130
Trying 10.0.0.130...
telnet: connect to address 10.0.0.130: Connection refused #lanserver对internet添加防火墙策略,无法直接登录
[root@internet ~]#ssh -fNL 1111:10.0.0.130:23 10.0.0.129 #和sshserver建立隧道,利用sshserver连接telnet服务
The authenticity of host '10.0.0.129 (10.0.0.129)' can't be established.
RSA key fingerprint is SHA256:mP+hahR3W6QVReOXzKwUwDbXFpH+eKA2aavt4FRj0Yg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.129' (RSA) to the list of known hosts.
root@10.0.0.129's password:
[root@internet ~]#ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 36 10.0.0.128:22 10.0.0.1:3457
ESTAB 0 0 10.0.0.128:55848 10.0.0.129:22
#internet和sshserver已建好连接
[root@internet ~]#telnet 127.0.0.1 1111 #利用 1111(隧道)请求telnet服务连接lanserver
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Kernel 3.10.0-1062.el7.x86_64 on an x86_64
lanserver login: hu
Password:
[hu@lanserver ~]$ hostname -I
10.0.0.130 #internet成功连接lanserver
[root@lanserver ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 36 10.0.0.130:22 10.0.0.1:3443
ESTAB 0 0 [::ffff:10.0.0.130]:23 [::ffff:10.0.0.129]:40578
#lanserver显示sshserver与其连接,ssh相当于代理
[root@lanserver ~]#yum -y install httpd;systemctl enable --now httpd #安装启用httpd服务
[root@lanserver ~]# echo lan website > /var/www/html/index.html
[root@internet ~]#ssh -fNL 6666:10.0.0.130:80 10.0.0.129 #和sshserver建立隧道,利用sshserver连接http服务
root@10.0.0.129's password:
[root@internet ~]#ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.0.128:55884 10.0.0.129:22
ESTAB 0 36 10.0.0.128:22 10.0.0.1:3457
ESTAB 0 0 10.0.0.128:55880 10.0.0.129:22
[root@internet ~]#curl http://127.0.0.1:6666
lan website #internet通过隧道访问lanserver的http
[root@lanserver ~]# tail -f /var/log/httpd/access_log
10.0.0.129 - - [08/Sep/2020:11:23:47 +0800] "GET / HTTP/1.1" 200 12 "-" "curl/7.61.1"
10.0.0.129 - - [08/Sep/2020:11:28:00 +0800] "GET / HTTP/1.1" 200 12 "-" "curl/7.61.1"
#lanserver访问日志显示sshserver访问
远程端口转发
[root@sshserver ~]# ssh -fNR 8888:10.0.0.130:80 10.0.0.128 #通过sshserver建立internet隧道,连接lanserver的http服务
The authenticity of host '10.0.0.128 (10.0.0.128)' can't be established.
RSA key fingerprint is 73:30:bc:a1:e4:96:00:aa:7c:d8:ab:b8:3a:79:1d:c8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.128' (RSA) to the list of known hosts.
root@10.0.0.128's password:
[root@sshserver ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.0.129:54000 10.0.0.128:22
ESTAB 0 0 10.0.0.129:22 10.0.0.1:3451
#已和internet建立隧道
[root@internet ~]#curl http://127.0.0.1:8888
lan website #internet通过隧道访问lanserver的http
[root@lanserver ~]# tail -f /var/log/httpd/access_log
10.0.0.129 - - [08/Sep/2020:11:23:47 +0800] "GET / HTTP/1.1" 200 12 "-" "curl/7.61.1"
10.0.0.129 - - [08/Sep/2020:11:28:00 +0800] "GET / HTTP/1.1" 200 12 "-" "curl/7.61.1"
10.0.0.129 - - [08/Sep/2020:11:47:02 +0800] "GET / HTTP/1.1" 200 12 "-" "curl/7.61.1"
#lanserver还是认为sshserver访问
远程端口转发并实现网关功能
#必须先打开gateway功能,否则无法打开所有IP对应的端口
[root@internet ~]#vim /etc/ssh/sshd_config
GatewayPorts yes
[root@internet ~]#systemctl restart sshd #重启ssh服务
[root@sshserver ~]# ssh -fNgR 8888:10.0.0.130:80 10.0.0.128 #internet开启网关,通过sshserver建立internet隧道,连接lanserver的http服务
root@10.0.0.128's password:
[14:03:41 root@Centos ~]#curl http://10.0.0.128:8888
lan website #其他机器连接internet就能启用lanserver的http服务
动态端口转发实现上网方法1
[root@internet ~]#yum -y install firefox #安装火狐浏览器
#然后在Windows上打开Xmanager - Passive
[root@internet ~]#export DISPLAY=10.0.0.1:0.0
[root@internet ~]#firefox
#重新打开一个internet的端口,建立sshserver代理
[root@internet ~]#ssh -fND 9999 10.0.0.129
root@10.0.0.129's password:
在浏览器上找到网络设置
动态端口转发实现上网方法2
[root@sshserver ~]# ssh -fNgD 9999 10.0.0.129 #开启网关,sshserver建立连接
The authenticity of host '10.0.0.129 (10.0.0.129)' can't be established.
RSA key fingerprint is 75:97:5b:24:3d:2e:f5:79:12:fa:eb:7f:fa:e5:a8:fc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.129' (RSA) to the list of known hosts.
root@10.0.0.129's password:
[root@sshserver ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 64 10.0.0.129:22 10.0.0.1:3451
ESTAB 0 0 10.0.0.129:22 10.0.0.129:40960
ESTAB 0 0 10.0.0.129:40960 10.0.0.129:22
[root@sshserver ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:6010 *:*
LISTEN 0 128 ::1:6010 :::*
LISTEN 0 128 :::39003 :::*
LISTEN 0 128 *:39903 *:*
LISTEN 0 128 :::9999 :::*
LISTEN 0 128 *:9999 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 ::1:631 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 100 127.0.0.1:25 *:*
#sshserver监听在所有9999端口上
[14:57:54 root@Centos ~]#curl --socks5 10.0.0.129:9999 http://10.0.0.130
lan website #其他设备就可以通过sshserver连接lanserver的http服务
*:*
#sshserver监听在所有9999端口上
[14:57:54 root@Centos ~]#curl --socks5 10.0.0.129:9999 http://10.0.0.130
lan website #其他设备就可以通过sshserver连接lanserver的http服务