SSH port forwarding in Linux

Last Update:2018-12-07 Source: Internet

Author: User

Tags ssh port

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Original article: http://www.dbabeta.com/2010/linux-port-forward-with-ssh.html

Generally, some specific ports are open for communication between two different networks, while port 22 used by SSH is usually open. Ssh-based port forwarding uses SSH as an intermediate proxy to bypass the restrictions between two networks and smoothly access any port.

Port forwarding can be divided into forward port forwarding, reverse port forwarding, and dynamic port forwarding.

To demonstrate the usage of these three port forwarding methods, assume that there are two domain office and prod, and there are two host A and B in the domain office, in the domain prod, the two hosts C and D, except that host a can access port 22 of C, all other accesses are forbidden by network rules, that is to say, machine A cannot access all ports except 22 of machine C, nor host D. Host C and D cannot access any host in machine A or machine B.

Task 1: forward port forwarding

Now let's start our first task: assume that the database service is installed on host d, and the listening port is 8888, what if I want to directly access the database in host D through host a in the office domain? This requires the SSH forward port function. In Linux, all port forwarding operations can be completed by using the built-in tool ssh.

The command to complete Task 1 is as follows:

1	`SSH` `-L 8000: host-d.prod.mycompany.com: 8888 oracle@host-c.prod.mycompany.com-n`

Now let's explain the above command:

Parameter-l: Indicates the port on which the listener is enabled locally, followed by the parameter format:, which indicates that the local port 8000 is forwarded to port 8888 of remote host D.
Orainst@host-c.prod.mycompany.com: This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
Parameter-n: Do not run remote commands. This parameter is optional here.

Run the preceding command on host a and enter the correct password. Then, log on to host a to check the status of the current Port:

12345 Oracle @ host-A [orcl]: ~ $ Netstat -Natp | Grep 8000 (Not all processes cocould be identified, non-owned process info Will not be shown, you wowould have to be root to see it all .) TCP 0 0 127.0.0.1: 8000 0.0.0.0: * Listen 3767 /Ssh TCP 0 0: 1: 8000: * Listen 3767 /Ssh

You can see that port 8000 is ready to accept the connection at any time on host a, but note that the Network monitored here is 127.0.0.1 (: 1), that is, this connection is limited to local operations.

Next, configure tnsnames as follows:

123456789101112 Orcl = (Description = (Enable = broken) (Address_list = (Failover = on) (Load_balance = yes) (Address = (Protocol = TCP) (host = localhost) (Port = 8000 )) ) (CONNECT_DATA = (SID = orcl) ) )

Then tnsping test:

123456789101112 Oracle @ host-A [orcl]: ~ $ Tnsping orcl TNS Ping utilityFor Linux: Version 11.1.0.7.0-production on 05-jul-2010 09:13:25 Copyright (c) 1997,200 8, Oracle. All rights reserved. Used parameter files:Used tnsnames adapter to resolveAliasAttempting to contact (description = (enable = broken) (address_list = (Failover = on) (load_balance = yes) (address = (Protocol = TCP) (host = localhost) (Port = 8000) (CONNECT_DATA = (SID = orcl )))OK (340 msec)

Success.

Task 2: reverse port forwarding

Because the domain prod cannot access the domain office in any way, assume that the physical locations of these two domains are completely different, what should I do if I want to operate host a in the domain office when I am in the domain prod on that day? This is the time to use reverse port forwarding.

The basic idea of reverse port forwarding is to open a port on host C while establishing an SSH connection from host a to host C, which can be reversely connected to a port on host B, of course, connecting to host B's 22 (ssh port) is the most cost-effective from host control. Now you have to run the following command on host:

1	`SSH` `-R 8888: localhosthost-b.office.mycompany.com: 22 oracle@host-c.prod.mycompany.com-n`

In the same way, first explain the above command:

Parameter-R: Create a reverse port forwarding rule, followed by the following parameter format:, the listening port is 8888, and the reverse connection is to port 22 of host B, which was originally inaccessible to host C.
Oracle@host-c.prod.mycompany.com: This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
Parameter-n: Do not run remote commands. This parameter is optional here.

After successfully executing the above command on host a, you can log on to host C to check the effect. First, check the development status of port 8888:

1234	`Oracle @ host-C :~ $` `Netstat` `-Natp \|` `Grep` `8888` `(No info cocould be` `Read` `For` `"-P"` `: Geteuid () = 1001 but you shoshould be root .)` `TCP 0 0 127.0.0.1: 8888 0.0.0.0: * listen-` `Tcp6 0 0: 1: 8888: * listen-`

Then, test the port availability and run the following command:

1234567 Oracle @ host-C :~ $SSH -P 8888 Oracle @ localhostPassword:Last login: Mon Jul 5 02:34:50 2010 from 172.24.43.103 Oracle@host-b.office $HostnameHost-b.office.mycompany.comOracle@host-b.office $

Now we have successfully established a connection that would have been impossible by using the only open SSH port. This method is very useful. When to use it depends on everyone's efforts.

Task 3: dynamic port forwarding

Dynamic port forwarding is actually an SSH-encrypted socks4/5 proxy channel.ProgramYou can use this encrypted channel for proxy access. Now the most common method is to flip the wall, and the method is very simple. The command is as follows:

1	`SSH` `-D 8888 username@proxyhost.mycompany.com-n`

Command explanation:

Parameter-d: Create a dynamic socks4/5 proxy Channel followed by the port number of the local listener.
Username@proxyhost.mycompany.com: This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
Parameter-n: Do not run remote commands. This parameter is optional here.

This method is not helpful for office work, so I will not talk about it any more.

Additional reading

SSH tutorial for Linux
Secure Shell
Port forwarding

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More