SSH port forwarding in Linux

Source: Internet
Author: User
Tags ssh port

Original article: http://www.dbabeta.com/2010/linux-port-forward-with-ssh.html

 

Generally, some specific ports are open for communication between two different networks, while port 22 used by SSH is usually open. Ssh-based port forwarding uses SSH as an intermediate proxy to bypass the restrictions between two networks and smoothly access any port.

Port forwarding can be divided into forward port forwarding, reverse port forwarding, and dynamic port forwarding.

To demonstrate the usage of these three port forwarding methods, assume that there are two domain office and prod, and there are two host A and B in the domain office, in the domain prod, the two hosts C and D, except that host a can access port 22 of C, all other accesses are forbidden by network rules, that is to say, machine A cannot access all ports except 22 of machine C, nor host D. Host C and D cannot access any host in machine A or machine B.

 

Task 1: forward port forwarding

Now let's start our first task: assume that the database service is installed on host d, and the listening port is 8888, what if I want to directly access the database in host D through host a in the office domain? This requires the SSH forward port function. In Linux, all port forwarding operations can be completed by using the built-in tool ssh.

The command to complete Task 1 is as follows:

1 SSH -L 8000: host-d.prod.mycompany.com: 8888 oracle@host-c.prod.mycompany.com-n

Now let's explain the above command:

Parameter-l
Indicates the port on which the listener is enabled locally, followed by the parameter format:, which indicates that the local port 8000 is forwarded to port 8888 of remote host D.
Orainst@host-c.prod.mycompany.com
This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
Parameter-n
Do not run remote commands. This parameter is optional here.

Run the preceding command on host a and enter the correct password. Then, log on to host a to check the status of the current Port:

12345 Oracle @ host-A [orcl]: ~ $ Netstat -Natp | Grep 8000 (Not all processes cocould be identified, non-owned process info   Will not be shown, you wowould have to be root to see it all .) TCP 0 0 127.0.0.1: 8000 0.0.0.0: * Listen 3767 /Ssh TCP 0 0: 1: 8000: * Listen 3767 /Ssh

You can see that port 8000 is ready to accept the connection at any time on host a, but note that the Network monitored here is 127.0.0.1 (: 1), that is, this connection is limited to local operations.

Next, configure tnsnames as follows:

123456789101112 Orcl =   (Description = (Enable = broken) (Address_list = (Failover = on) (Load_balance = yes) (Address = (Protocol = TCP) (host = localhost) (Port = 8000 )) ) (CONNECT_DATA = (SID = orcl) ) )

Then tnsping test:

123456789101112 Oracle @ host-A [orcl]: ~ $ Tnsping orcl TNS Ping utilityFor Linux: Version 11.1.0.7.0-production on 05-jul-2010 09:13:25 Copyright (c) 1997,200 8, Oracle. All rights reserved. Used parameter files:Used tnsnames adapter to resolveAliasAttempting to contact (description = (enable = broken) (address_list = (Failover = on) (load_balance = yes) (address = (Protocol = TCP) (host = localhost) (Port = 8000) (CONNECT_DATA = (SID = orcl )))OK (340 msec)

Success.

Task 2: reverse port forwarding

Because the domain prod cannot access the domain office in any way, assume that the physical locations of these two domains are completely different, what should I do if I want to operate host a in the domain office when I am in the domain prod on that day? This is the time to use reverse port forwarding.

The basic idea of reverse port forwarding is to open a port on host C while establishing an SSH connection from host a to host C, which can be reversely connected to a port on host B, of course, connecting to host B's 22 (ssh port) is the most cost-effective from host control. Now you have to run the following command on host:

1 SSH -R 8888: localhosthost-b.office.mycompany.com: 22 oracle@host-c.prod.mycompany.com-n

In the same way, first explain the above command:

Parameter-R
Create a reverse port forwarding rule, followed by the following parameter format:, the listening port is 8888, and the reverse connection is to port 22 of host B, which was originally inaccessible to host C.
Oracle@host-c.prod.mycompany.com
This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
Parameter-n
Do not run remote commands. This parameter is optional here.

After successfully executing the above command on host a, you can log on to host C to check the effect. First, check the development status of port 8888:

1234 Oracle @ host-C :~ $ Netstat -Natp | Grep 8888 (No info cocould be Read For "-P" : Geteuid () = 1001 but you shoshould be root .) TCP 0 0 127.0.0.1: 8888 0.0.0.0: * listen- Tcp6 0 0: 1: 8888: * listen-

Then, test the port availability and run the following command:

1234567 Oracle @ host-C :~ $SSH -P 8888 Oracle @ localhostPassword:Last login: Mon Jul 5 02:34:50 2010 from 172.24.43.103 Oracle@host-b.office $HostnameHost-b.office.mycompany.comOracle@host-b.office $

Now we have successfully established a connection that would have been impossible by using the only open SSH port. This method is very useful. When to use it depends on everyone's efforts.

Task 3: dynamic port forwarding

Dynamic port forwarding is actually an SSH-encrypted socks4/5 proxy channel.ProgramYou can use this encrypted channel for proxy access. Now the most common method is to flip the wall, and the method is very simple. The command is as follows:

1 SSH -D 8888 username@proxyhost.mycompany.com-n

Command explanation:

Parameter-d
Create a dynamic socks4/5 proxy Channel followed by the port number of the local listener.
Username@proxyhost.mycompany.com
This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
Parameter-n
Do not run remote commands. This parameter is optional here.

This method is not helpful for office work, so I will not talk about it any more.

Additional reading
    • SSH tutorial for Linux
    • Secure Shell
    • Port forwarding
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.