SSH port forwarding in Linux

In Linux, SSH port forwarding usually opens some specific ports between two different networks for communication, while Port 22 used by SSH is usually open. SSH-based port forwarding uses SSH as the proxy to bypass the restrictions between the two networks... in Linux, SSH port forwarding usually opens some specific ports between two different networks for communication, while Port 22 used by SSH is usually open. SSH-based port forwarding uses SSH as an intermediate proxy to bypass the restrictions between two networks and smoothly access any port. Port forwarding can be divided into forward port forwarding, reverse port forwarding, and dynamic port forwarding. To demonstrate the usage of these three port forwarding methods, assume that there are two domain Office and Prod, and there are two host A and B in the domain Office, in the domain Prod, the two hosts C and D, except that host A can access port 22 of C, all other accesses are forbidden by network rules, that is to say, Machine A cannot access all ports except 22 of Machine C, nor host D. host C and D cannot access any host in Machine A or machine B. Task 1: forward port forwarding now starts our first task: assume that the database service is installed on host D, and the listening port is 8888, what if I want to directly access the database in host D through host A in the Office domain? This requires the SSH forward port function. In Linux, all port forwarding operations can be completed by using the built-in tool ssh. The command to complete task 1 is simple, as shown below: 1ssh-L 8000: host-d.prod.mycompany.com: 8888 oracle@host-c.prod.mycompany.com-N now explains the above Command: parameter-L represents the port on which the listener is enabled locally, the following parameter format is as follows:, which indicates that the local port 8000 is forwarded to port 8888 of remote host D. Orainst@host-c.prod.mycompany.com this parameter specifies the host to be logged on using ssh and the user name, the host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine. Parameter-N does not execute remote commands. This parameter is optional here. Run the preceding command on host A and enter the correct password. then, log on to host A to check the status of the current port: 1oracle @ host-a [orcl]: ~ $ Netstat-natp | grep 80002 (Not all processes cocould be identified, non-owned process info3 will not be shown, you wocould have to be root to see it all .) 4tcp 0 0 127.0.0.1: 8000 0.0.0.0: * LISTEN 3767/ssh5tcp 0 0: 1: 8000 ::: * You can see that Port 3767 on host A is ready to accept connections at any time in LISTEN 8000/ssh. However, note that the network monitored here is 127.0.0.1 (: 1 ), that is to say, this connection is limited to local operations. Next, configure TNSNAMES as follows: 01 orcl = 02 (DESCRIPTION = 03 (ENABLE = BROKEN) 04 (ADDRESS_LIST = 05 (FAILOVER = ON) 06 (LOAD_BALANCE = YES) 07 (ADDRESS = (PROTOCOL = TCP) (HOST = localhost) (PORT = 8000) 08) 09 (CONNECT_DATA = 10 (SID = orcl) 11) 12) then tnsping to test: 01oracle @ host-a [orcl]: ~ $ Tnsping orcl02 03TNS Ping Utility for Linux: Version 11.1.0.7.0-Production on 05-JUL-2010 05 Copyright (c) 1997,200 8, Oracle. all rights reserved.06 07 Used parameter files: 08 09 10 Used TNSNAMES adapter to resolve the alias11Attempting to contact (DESCRIPTION = (ENABLE = BROKEN) (ADDRESS_LIST = (FAILOVER = ON) (LOAD_BALANCE = YES) (ADDRESS = (PROTOCOL = TCP) (HOST = localhost) (PORT = 8000) (CONNECT _ DATA = (SID = orcl) 12OK (340 msec) success. Task 2: reverse port forwarding because the domain Prod cannot access the domain Office in any way, assuming that the physical locations of the two domains are completely different, what should I do if I want to operate host A in the domain Office when I am in the domain Prod on that day? This is the time to use reverse port forwarding. The basic idea of reverse port forwarding is to open A port on host C while establishing an ssh connection from host A to host C, which can be reversely connected to A port on host B, of course, connecting to host B's 22 (ssh Port) is the most affordable from host control. now, you need to run the following command on host A: 1ssh-R 8888: localhosthost-b.office.mycompany.com: 22 oracle@host-c.prod.mycompany.com-N the same, first explain the above Command: parameter-R creates a reverse port forwarding, followed by the parameter format ::, the listening port is 8888. the reverse connection is to Port 22 of host B, which is inaccessible to host C. Oracle@host-c.prod.mycompany.com this parameter specifies the host to be logged on using ssh and the user name, the host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine. Parameter-N does not execute remote commands. This parameter is optional here. After successfully executing the preceding command on host A, you can log on to host C to check the effect. First, check the development status of port 8888: 1oracle @ host-c :~ $ Netstat-natp | grep 88882 (No info cocould be read for "-p": geteuid () = 1001 but you shoshould be root .) 3tcp 0 0 127.0.0.1: 8888 0.0.0.0: * LISTEN-4tcp6 0 0: 1: 8888 ::: * LISTEN-then test the port availability. run the following command: 1oracle @ host-c :~ $ Ssh-p 8888 oracle @ localhost2Password: 3 Last login: mon Jul 5 02:34:50 2010 from 172.24.43.1034 5oracle@host-b.office $ hostname6host-b.office.mycompany.com7oracle@host-b.office $ now it's already successful to use the only open ssh port to establish a connection that would have been totally impossible. This method is very useful. When to use it depends on everyone's efforts. Task 3: dynamic port forwarding is actually creating an ssh-encrypted SOCKS4/5 proxy channel, any program that supports the SOCKS4/5 protocol can use this encrypted channel for proxy access. now the most common method for this method is to flip the wall and the method is very simple. the command is as follows: 1ssh-D 8888 username@proxyhost.mycompany.com-N command explanation: parameter-D creates a dynamic SOCKS4/5 proxy channel followed by the port number of the local listener. Username@proxyhost.mycompany.com this parameter specifies the host to be logged on using ssh and the user name, the host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine. Parameter-N does not execute remote commands. This parameter is optional here. This method is not helpful for office work, so I will not talk about it any more.