Secure communication based on SSH port forwarding through gateway

SSH through gateway to implement port forwarding

Compared with the previous on two virtual machines via SSH port forwarding to achieve secure communication, this experiment in two virtual machines to join the gateway.

First, the experimental environment:

Three Linux virtual machines, VM1 (172.16.1.2) belong to the Vmnet1 subnet, vm2 (172.16.2.2) belong to the Vmnet2 subnet, gate as a gateway, with two virtual network card, not belong to Vmnet1 and Vmnet2.

Second, the experimental conception:

In the analog Reality network, external network of a host to communicate with a host in the intranet, assuming that the transmission of the intranet is safe, in order to enhance the security of the extranet, we use SSH port forwarding to achieve the external network between the host and the Gateway of the security communication, the gateway to the data packets forwarded to the intranet destination host.

In this experiment, we use VMNET1 to simulate the outer net, gate serves as gateway, Vmnet2 simulate intranet. Through the gateway, we establish the VM2 and vm1 between the security port forwarding, that is, vm2 to gate to achieve encrypted transmission, and gate to VM1 due to the intranet, we assume its security, do not need encryption.

Third, the experiment steps:

1, the establishment of LAN VLAN:

1.1, add a subnet VMnet2 for VMware

The operation is as follows:

Edit→virtual Network Settings→host Virtual adapters Add a subnet vmnet2→ set network IP to mapping in Host Virtual VMnet2 172.16.2.0

1.2, VM1 (172.16.1.2) First do not start, clone a vm2

The operation is as follows:

Vm→clone→create a full clone sets the name of the virtual machine as vm2 and path

1.3, start vm2, login 172.16.1.2, set IP as 172.16.2.2,netmask for 255.255.255.0

# vi/etc/sysconfig/network (the name of the modified host is VM2 and can be modified in VMware)

# vi/etc/sysconfig/network-scripts/ifcfg-eth0 (modify IP for 172.16.2.2)

# Service Network Restart

Set vm2 belong to VMnet2, and then putty

1.4. Clone a virtual machine named gate

1.5, to gate to add an Ethernet card, eth0 belong to the vmnet1,eth1 belong to VMnet2, start gate, login 172.16.1.3, modify gate IP address

# Cd/etc/sysconfig

# VI Network (change the host's name to gate)

# CD

# netconfig-d eth0--ip=172.16.1.4--netmask=255.255.255.0

# netconfig-d eth1--ip=172.16.2.4--netmask=255.255.255.0

# Service Network Restart

1.6, respectively set VM1 and VM2 IP address mapping (the essence is to give IP an alias)

VM1:

# Cd/etc/sysconfig

# vi/etc/hosts

172.16.1.4 Gate

172.16.2.3 vm2

VM2:

# Cd/etc/sysconfig

# vi/etc/hosts

172.16.2.4 Gate

172.16.1.3 VM1

1.7, start VM1

1.8, Gate Open forwarding

Method One: Each boot needs to be set:

# Cat/proc/sys/net/ipv4/ip_forward

# 0

# echo 1 >/proc/sys/net/ipv4/ip_forward

Method Two: Modify in the configuration file, do not need to reset every boot

#vi/etc/sysctl.conf (set net.ipv4.ip_forward=1)

#vi sysctl-p

1.9, VM1 added to the VMnet2 route

# route add-net 172.16.2.0 netmask 255.255.255.0 GW Gate

1.10, VM2 added to the VMNET1 route

# route add-net 172.16.1.0 netmask 255.255.255.0 GW Gate

1.11, test the route is successful, VM1 and VM2 mutual ping,ping Pass can

# ping Vm2

# ping Vm1

VLANs are not the focus of this experiment, but the basis of the experiment is true. Note that the host division of different subnets, the original is the choice of host-only mode, including the first two experiments, are able to work, but this time only the network card in the different subnets in the Costom mode to select the corresponding subnet, the success.

2. Capture Packets:

2.1, open the host Wireshark, select the VM1 network card, and in the filter enter the following statement:

Host 172.16.1.2 and not 172.16.1.1

Explanation: Captures all packets that the host 172.16.1.2 except for packets that are unexpected with the 172.16.1.1 host. In order to make a comparative test, the landlord has the opportunity to make a POP3 connection with the Gateway tunnel, and then direct a connection with the remote host 172.16.2.2; Meanwhile, the 172.16.1.1 packets are removed because the Putty remote control transmits the data via the virtual network card on the host.

3, the port forwarding:

3.1, Vmnet1 simulation of the external network

Establish port forwarding via gate to vm2 on VM1 (172.16.1.2):

Ssh-l 2000:172.16.2.2:110 172.16.1.3

3.2. Command format:

Ssh-l Localport:serverhost:serverhostPort Gatehost

LocalPort the port to be forwarded on the local host

The server host to be connected in the ServerHost intranet vm2

The port in the ServerPort intranet vm2 to connect the service

IP of Gateway for gatehost forwarding function

3.3, the tunnel connection:

Since the SSH port forwarding background operation was not selected in 2.1, a 172.16.1.2 putty terminal needs to be started separately. Enter the following command:

Telnet localhost 2000

Then log in to receive mail

3.4. Comparative test:

After the above steps are performed, a connection that does not apply to port forwarding is performed

Telnet 172.16.2.2 110

Telnet remotely to the remote host 172.16.2.2 on the local host 172.16.1.2 and connect the Post Office Protocol port 110

4. Analysis Data Package:

4.1, the previous part of the data transmitted through the tunnel is encrypted using the SSH protocol, in the back of the direct Telnet landing, it is clear text transmission, user name and password and message content are visible.

Conclusion: This experiment basically achieves the objective of the experiment, and realizes the safe communication of pop in the vm1 of the simulated external network environment. The experimental steps are essentially the same as those for Telnet and pop port forwarding under the previous two virtual machines.