"Reprint" Three different types of ssh tunnels

Transferred from: http://blog.creke.net/722.html

As you know, SSH is a secure transport protocol that is used more on the connection server. But in fact, in addition to this feature, its tunnel forwarding function is more attractive. Here are some tips for individuals to match their own actual operations based on their own needs and the information they have found online.

Basic information of the Ssh/plink command:

First, recognize these three very powerful commands:

Ssh-c-f-n-g-l listen_port:DST_Host:DST_port [email protected]_host
Ssh-c-f-n-g-r listen_port:DST_Host:DST_port [email protected]_host
Ssh-c-f-n-g-d listen_port [email protected]_host

Explanation of the relevant parameters:
-F Fork into background after authentication.
Background authentication user/password, usually with-N, without logging on to the remote host.

-L Port:host:hostport
Forwards a port on the local machine (client) to the specified port on the remote specified machine. This works, the local machine is assigned a socket listening port port, once the port has a connection, the connection is forwarded through a secure channel, while the remote host and host Hostport port to establish a connection. You can specify the forwarding of ports in the configuration file. Only Root can forward privileged ports. IPV6 address in another format description: Port/host/hostport

-R Port:host:hostport
Forwards a port on the remote host (server) to the specified port on the local side of the specified machine. This works, the remote host is assigned a socket listening port port, once the port has a connection, the connection will go through a secure channel, while the local host and host Hostport port to establish a connection. You can specify the forwarding of ports in the configuration file. A privileged port can be forwarded only by logging on to the remote host with Root. IPV6 address in another format description: Port/host/hostport

-D Port
Specifies a local machine "dynamic" Application port forwarding. This works, the local machine is assigned a socket listening port port, once the port has a connection, the connection is forwarded through a secure channel, according to the application protocol can determine where the remote host and where to connect. Currently supports the SOCKS4 protocol and will act as a SOCKS4 server. Only Root can forward privileged ports. You can specify the forwarding of dynamic ports in the configuration file.

-C Enable compression.
Compressed data transfer.

-N does not execute a shell or command.
Do not execute scripts or commands, usually with-F.

-G allow remote hosts to connect to forwarded ports.
In the-l/-r/-d parameter, the remote host is allowed to connect to the established forwarding port, and if this parameter is not added, only the local host is allowed to establish a connection. Note: This parameter seems to me to never work in practice.

The above excerpts from: http://chenweiguang.blogspot.com/2009/03/ssh.html

Example of establishing a local SSH tunnel

Before we plan to build a local SSH tunnel, we must be aware of the following data:

1. IP address of intermediate server D
2. To access the IP address of server C
3. To access the port of server C

Now, let's make this figure more specific and add an IP address to these machines. and list our plans according to the following diagram:

1. Requires access to the 234.234.234.234 FTP service, which is port 21
2. Intermediate server is 123.123.123.123

Now we use the following command to achieve our purpose.

1.ssh-n-f-l 2121:234.234.234.234:21 123.123.123.123

2.ftp localhost:2121 # Now access the local 2121 port to connect to the 234.234.234.234 21 port.

Here we use the SSH client's three parameters, the following we explain each:

• -N tells the SSH client that this connection does not need to execute any commands. Just do port forwarding
• -F tells the SSH client to run in the background
• -l do local map port, three parts separated by colon mean
  • The local port number to use
  • IP address of the target machine to be accessed (ip:234.234.234.234)
  • Target Machine Port (port: 21) to be accessed
• The last parameter is the IP address of the intermediary machine we used to build the tunnel (ip:123.123.123.123)

Let's repeat the behavior of the-l parameter. The meaning of-l x:y:z is that the z port of the machine with IP Y is mapped to the X port of the local machine through an intermediary server.

After this command was successfully executed, we had the ability to bypass the corporate firewall and successfully accessed one of our favorite FTP servers.

How to set up a remote SSH tunnel

By establishing the local SSH tunnel, we successfully bypassed the firewall to start downloading resources on the FTP. So what if we want to see the download progress when we're at home? Most corporate networks are connected to the Internet via routers, and the company's internal machines do not directly connect to the Internet, which is not directly accessible via the Internet. It is impossible to access machine A in the company through the line d-b-a. Perhaps you have noticed that although the d-b-a is not connected in this direction, there is no problem with the connection in this direction a-b-d. So, can we use an already connected a-b-d direction of connection to complete the d-b-a direction of access? The answer is yes, this is the purpose of the remote SSH tunnel.

As with local ssh, we need to understand the following parameters before establishing a remote SSH tunnel:

• The IP address of the remote machine that requires access to the internal machine (this is 123.123.123.123)
• The IP address of the internal machine that needs to be accessible to the remote machine (this is because it wants to map this machine, so the IP is 127.0.0.1)
• The port number of the internal machine that needs to be accessible to the remote machine (port: 22)

After the above parameters are clear, we use the following command to establish a remote SSH tunnel

1.ssh-n-f-r 2222:127.0.0.1:22 123.123.123.123

Now, on the machine where IP is 123.123.123.123, we can log in with the following command to the company's IP is 192.168.0.100 machine.

1.ssh-p 2222 localhost

-n,-f These two parameters we have already introduced in the local SSH tunnel. Now we're going to focus on parameter-R. The meanings of the three parts of this parameter are:

• Ports Used by remote machines (2222)
• IP address of the internal machine that needs to be mapped (127.0.0.1)
• Ports for internal machines that need to be mapped (22)

For example, the-R x:y:z maps the Z-port of our internal Y machine to the X port on the remote machine.

Some tips for building an SSH tunnel

Automatic re-connect

The tunnel may be disconnected for some reason, for example, a machine restart, a long time without data communication and a router cut off, and so on. So we can program the reconnection of the tunnel, for example a simple loop or use DJB's daemontools. In either case, you should avoid a program that is stuck with a password when you re-connect. For a safe way to avoid entering your password, refer to my how to implement secure password-free SSH login. Note here that if you control the tunnel connection through other programs, you should avoid putting the SSH client in the background, that is, removing the-f parameter.

Stay connected for long periods of time

Some routers disconnect a connection that is not communicating for a long time. The SSH client's tcpkeepalive option avoids this problem, which is turned on by default. If it is closed, you can add-o tcpkeepalive=yes to the command on SSH to open it.

Another way is to remove the-n parameter and add a regular command that produces the output. For example: Top or Vmstat. An example of this approach is given below:

1.ssh-r 2222:localhost:22 123.123.123.123 "Vmstat 30"

Check tunnel status

Sometimes the tunnel is jammed for some reason, for example: the router is brought into the stalled state due to the large amount of data transmitted. This time, often the SSH client does not quit, but the card dies there. One workaround is to use the Serveraliveinterval and Serveralivecountmax options of the SSH client. Serveraliveinterval will send a request to the server to request a server response after a set time after the tunnel has no communication. If the server does not respond after a Serveralivecountmax request, the SSH client automatically disconnects and exits, handing control over to your monitoring program. The two options are set by adding-O serveraliveinterval=n and-o serveralivecountmax=m at SSH. where n, m can be defined by itself.

How to bind a port to an external address

Using the method above, the mapped port can only be bound on the 127.0.0.1 interface. In other words, it can only be accessed by the local machine itself. How can I get other machines to access this port? We can bind this mapped port on the 0.0.0.0 interface by adding the parameter-B 0.0.0.0. You also need to open an option-gatewayports on the SSH server side. By default, it should be open. If it is closed, you can change gatewayports No to gatewayports Yes in/etc/sshd_config to open it.

Establishing a SOCKS server via SSH tunneling

If we need to access a lot of resources with an intermediary server, mapping is obviously not a smart approach (in fact, gaoming does not use this method). Fortunately, the SSH client provides us with the ability to establish a SOCKS server through an SSH tunnel.

We can build a socks server through 123.123.123.123 by the following command.

1.ssh-n-f-d 1080 123.123.123 # binds the port on the 127.0.0.1

2.ssh-n-f-d 0.0.0.0:1080 123.123.123.123 # bind ports on 0.0.0.0

The SOCKS server established via SSH is using the SOCKS5 protocol, which should be paid special attention when setting up the socks agent for the application.

"Reprint" Three different types of ssh tunnels