Original article: http://www.dbabeta.com/2010/linux-port-forward-with-ssh.html
Generally, some specific ports are open for communication between two different networks, while port 22 used by SSH is usually open. Ssh-based port forwarding uses SSH as an intermediate proxy to bypass the restrictions between two networks and smoothly access any port.
Port forwarding can be divided into forward port forwarding, reverse port forwarding, and dynamic port forwarding.
To demonstrate the usage of these three port forwarding methods, assume that there are two domain office and prod, and there are two host A and B in the domain office, in the domain prod, the two hosts C and D, except that host a can access port 22 of C, all other accesses are forbidden by network rules, that is to say, machine A cannot access all ports except 22 of machine C, nor host D. Host C and D cannot access any host in machine A or machine B.
Task 1: forward port forwarding
Now let's start our first task: assume that the database service is installed on host d, and the listening port is 8888, what if I want to directly access the database in host D through host a in the office domain? This requires the SSH forward port function. In Linux, all port forwarding operations can be completed by using the built-in tool ssh.
The command to complete Task 1 is as follows:
1 |
SSH -L 8000: host-d.prod.mycompany.com: 8888 oracle@host-c.prod.mycompany.com-n |
Now let's explain the above command:
-
Parameter-l
-
Indicates the port on which the listener is enabled locally, followed by the parameter format:, which indicates that the local port 8000 is forwarded to port 8888 of remote host D.
-
Orainst@host-c.prod.mycompany.com
-
This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
-
Parameter-n
-
Do not run remote commands. This parameter is optional here.
Run the preceding command on host a and enter the correct password. Then, log on to host a to check the status of the current Port:
12345 |
Oracle @ host-A [orcl]: ~ $ Netstat -Natp | Grep 8000 (Not all processes cocould be identified, non-owned process info Will not be shown, you wowould have to be root to see it all .) TCP 0 0 127.0.0.1: 8000 0.0.0.0: * Listen 3767 /Ssh TCP 0 0: 1: 8000: * Listen 3767
/Ssh |
You can see that port 8000 is ready to accept the connection at any time on host a, but note that the Network monitored here is 127.0.0.1 (: 1), that is, this connection is limited to local operations.
Next, configure tnsnames as follows:
123456789101112 |
Orcl = (Description = (Enable = broken)
(Address_list = (Failover = on) (Load_balance = yes) (Address = (Protocol = TCP) (host = localhost) (Port = 8000 )) )
(CONNECT_DATA = (SID = orcl) ) ) |
Then tnsping test:
123456789101112 |
Oracle @ host-A [orcl]: ~ $ Tnsping orcl TNS Ping utility For Linux: Version 11.1.0.7.0-production on 05-jul-2010 09:13:25 Copyright (c) 1997,200 8, Oracle. All rights reserved. Used parameter files: Used tnsnames adapter to resolve Alias Attempting to contact (description = (enable = broken) (address_list = (Failover = on) (load_balance = yes) (address = (Protocol = TCP) (host = localhost) (Port = 8000) (CONNECT_DATA = (SID = orcl ))) OK (340 msec) |
Success.
Task 2: reverse port forwarding
Because the domain prod cannot access the domain office in any way, assume that the physical locations of these two domains are completely different, what should I do if I want to operate host a in the domain office when I am in the domain prod on that day? This is the time to use reverse port forwarding.
The basic idea of reverse port forwarding is to open a port on host C while establishing an SSH connection from host a to host C, which can be reversely connected to a port on host B, of course, connecting to host B's 22 (ssh port) is the most cost-effective from host control. Now you have to run the following command on host:
1 |
SSH -R 8888: localhosthost-b.office.mycompany.com: 22 oracle@host-c.prod.mycompany.com-n |
In the same way, first explain the above command:
-
Parameter-R
-
Create a reverse port forwarding rule, followed by the following parameter format:, the listening port is 8888, and the reverse connection is to port 22 of host B, which was originally inaccessible to host C.
-
Oracle@host-c.prod.mycompany.com
-
This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
-
Parameter-n
-
Do not run remote commands. This parameter is optional here.
After successfully executing the above command on host a, you can log on to host C to check the effect. First, check the development status of port 8888:
1234 |
Oracle @ host-C :~ $ Netstat -Natp | Grep 8888 (No info cocould be Read For "-P" : Geteuid () = 1001 but you shoshould be root .)
TCP 0 0 127.0.0.1: 8888 0.0.0.0: * listen- Tcp6 0 0: 1: 8888: * listen- |
Then, test the port availability and run the following command:
1234567 |
Oracle @ host-C :~ $ SSH -P 8888 Oracle @ localhost Password: Last login: Mon Jul 5 02:34:50 2010 from 172.24.43.103 Oracle@host-b.office $ Hostname Host-b.office.mycompany.com Oracle@host-b.office $ |
Now we have successfully established a connection that would have been impossible by using the only open SSH port. This method is very useful. When to use it depends on everyone's efforts.
Task 3: dynamic port forwarding
Dynamic port forwarding is actually an SSH-encrypted socks4/5 proxy channel.ProgramYou can use this encrypted channel for proxy access. Now the most common method is to flip the wall, and the method is very simple. The command is as follows:
1 |
SSH -D 8888 username@proxyhost.mycompany.com-n |
Command explanation:
-
Parameter-d
-
Create a dynamic socks4/5 proxy Channel followed by the port number of the local listener.
-
Username@proxyhost.mycompany.com
-
This parameter specifies the host to log on using SSH and the user name. The host used here and the host in the previous parameter must be in the same domain and can access each other, of course, it can also be the same machine.
-
Parameter-n
-
Do not run remote commands. This parameter is optional here.
This method is not helpful for office work, so I will not talk about it any more.
Additional reading
- SSH tutorial for Linux
- Secure Shell
- Port forwarding