关于对SSH隧道SSH Tunnel命令参数的理解

klyhssrs

已于 2022-12-20 17:58:21 修改

阅读量1.1w

点赞数

分类专栏： linux 网络通信文章标签： linux ssh

于 2017-08-05 14:39:39 首次发布

本文链接：https://blog.csdn.net/klyhssrs/article/details/76718096

版权

网络通信同时被 2 个专栏收录

3 篇文章 0 订阅

订阅专栏

linux

1 篇文章 0 订阅

订阅专栏

一. 本地模式 -L

二. 远程模式 -R

三. 动态模式 -D

开发时需要在本地访问管理云服务器CentOS上的mysql和redis服务，但是这些服务默认是没有开启直接从外网访问的权限，只能从本机访问，不过使用SSH隧道技术可以将远程访问转换为本机访问一样，这样就无需开启这些服务的外网访问权限了，提高了安全性，也免去了繁琐的配置。

不过SSH隧道的参数配置还是有点复杂，看了一些中文的文章，讲的不是很清晰，尝试很多次也没成功，最后经过一番折腾终于理解了它的原理，本地L，远程R和动态D三种隧道参数都测试成功。

一. 本地模式 -L

例如在本机执行命令 ssh -NfL *:3305:127.0.0.1:3306 root@a.b.c.d

-N 表示不执行远程命令，用于转发端口。

-f 表示在执行命令前退至后台。

windows下可使用xshell的隧道面板Tunneling Pane创建。命令执行后将会在本机3305端口开始监听，win下用命令netstat -anp tcp|find "3305"可以看到3305为LISTENING状态。

这时在本机用mysql客户端工具连接localhost或127.0.0.1的3305端口，当这个3305端口收到数据后会将数据通过ssh安全协议发送到远程主机a.b.c.d的22端口（ssh默认），这个22端口是由ssh服务端即sshd进程创建，它收到数据后再把数据转发到127.0.0.1（在这里也就是a.b.c.d这台主机）的3306端口，这时远程的mysql服务就会认为这是由本机(a.b.c.d)发起的连接。

( 本地在*:3305端口侦听 ) === [ ssh隧道 ] ===> ( 远程把连接转发到127.0.0.1:3306 )

ssh手册上的解释：

-L [bind_address:]port:host:hostport

将本地机(客户机)的某个端口转发到远端指定机器的指定端口. 工作原理是这样的, 本地机器上分配了一个 socket 侦听 port 端口, 一旦这个端口上有了连接, 该连接就经过安全通道转发出去, 同时远程主机和 host 的 hostport 端口建立连接. 可以在配置文件中指定端口的转发. 只有 root 才能转发特权端口。

关键是理解这里的local就是执行ssh命令在3305端口监听的本机，remote就是运行sshd服务端的远程主机a.b.c.d

Specifies that connections to the given TCP port or Unix
socket on the local (client) host are to be forwarded to
the given host and port, or Unix socket, on the remote
side. This works by allocating a socket to listen to
either a TCP port on the local side, optionally bound to
the specified bind_address, or to a Unix socket. Whenever
a connection is made to the local port or socket, the
connection is forwarded over the secure channel, and a
connection is made to either host port hostport, or the
Unix socket remote_socket, from the remote machine.

Port forwardings can also be specified in the configuration
file. Only the superuser can forward privileged ports.
IPv6 addresses can be specified by enclosing the address in
square brackets.

By default, the local port is bound in accordance with the
GatewayPorts setting. However, an explicit bind_address
may be used to bind the connection to a specific address.
The bind_address of “localhost” indicates that the
listening port be bound for local use only, while an empty
address or ‘*’ indicates that the port should be available
from all interfaces.

二. 远程模式 -R

ssh -R *:9000:127.0.0.1:9002 root@a.b.c.d

此命令将把对远程主机9000端口的连接转发到本地127.0.0.1的9002端口。

( 本地把连接转发到127.0.0.1:9002 ) <== [ ssh隧道 ] === ( 远程在*:9000端口侦听 )

ssh手册：

-R [bind_address:]port:host:hostport

将远程主机(服务器)的某个端口转发到本地端指定机器的指定端口. 工作原理是这样的, 远程主机上分配了一个 socket 侦听 port 端口, 一旦这个端口上有了连接, 该连接就经过安全通道转向出去, 同时本地主机和 host 的 hostport 端口建立连接. 可以在配置文件中指定端口的转发. 只有用 root 登录远程主机才能转发特权端口。

Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side.
This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection is made from the local machine to either an explicit destination specified by host port hostport, or local_socket, or, if no explicit destination was specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.

Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square brackets.

By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward, the allocated port will be printed to the standard output.

三. 动态模式 -D

实例：ssh -D 1080 root@a.b.c.d

将在本地1080端口监听，如果此时把本地系统或浏览器代理设置为127.0.0.1:1080，代理请求会被转发到远程主机a.b.c.d上，远程主机再去请求实际的目标网站。

手册：-D [bind_address:]port

指定一个本地的 "动态 "应用级端口转发。它的工作原理是在本地分配一个套接字来监听[port]端口，可以选择绑定到指定的[bind_address]。每当有连接到这个端口时，连接就会在安全通道上被转发，并且应用协议被用来确定从远程机器连接到哪里。

目前支持SOCKS4和SOCKS5协议，SSH将扮演SOCKS服务器的角色。只有root可以转发特权端口。动态端口转发也可以在配置文件中指定。

Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address.

Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.

Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.