SSH port forwarding program under Linux

In the Linux system of SSH port forwarding, there are many kinds of forwarding operations, but also a good use of the port using the program, so today we have to know about the SSH port forwarding specific content it!

Typically, two different networks always open some specific ports for use in communication, and the 22 ports used by SSH are usually in the open. SSH based port forwarding is the use of SSH as the intermediary agent, to bypass the two network restrictions, smooth access to any port.

Port forwarding can be divided into three types:

Forward port forwarding;

Reverse port forwarding;

Dynamic port forwarding.

To demonstrate the use of these three port forwarding methods, let's assume that there are 2 domain office and PROD, there are two hosts A and B in the domain office, two hosts C and D in the domain prod, between the two domains, except that host a can access the 22 port of C, All other accesses are prohibited by network rules, which means that a machine cannot access all other ports except 22 in C and access to D hosts, while hosts C and D cannot access any of the hosts in A or b at all.

Task one: Forward port forwarding

Now, let's start with our first task: Assume that host D has a database service on it, and that the listener port is 8888, what if I want to access the database in D host directly from host A in the office domain? This will use the forward port function of SSH. First of all, in Linux, all port forwarding operations can be done by using a self-contained tool ssh.

The command to complete the task one is simple, as follows:

1

Ssh-l 8000:host-d.prod.mycompany.com:8888 Oracle@host-c.prod.mycompany.com-n

Now explain the above command:

Parameter-L

Represents the port on which listening is opened locally, followed by the following parameter format::, which means forwarding the local 8000 port to the 8888 port of remote host D.

Orainst@host-c.prod.mycompany.com

This parameter specifies the host to use SSH to log in and the user name to log in, where the host and the host in the previous argument must be in the same domain and be able to access each other, and of course, the same machine.

Parameter-N

Remote commands are not executed. This parameter is optional here.

Now after running the above command on host A, enter the correct password, and then we'll log in to host A to see the status of the front end port:

1

oracle@host-a[orcl]:~$ Netstat-natp|grep 8000

2

(Not all processes could is identified, non-owned process info

3

Won't is shown, you would have to is root to the it all.)

4

TCP 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 3767/ssh

5

TCP 0 0:: 1:8000:::* LISTEN 3767/ssh

You can see that there are already 8000 ports on host a ready to accept the connection, but note that the network listening here is 127.0.0.1 (:: 1), that is, this connection is limited to local operations.

The next step is to configure the next TNSNames, configured as follows:

01

Orcl=

02

(description=

03

(Enable=broken)

04

(address_list=

05

(Failover=on)

06

(Load_balance=yes)

07

(Address= (PROTOCOL=TCP) (Host=localhost) (port=8000))

08

)

09

(Connect_data=

10

(SID=ORCL)

11

)

12

)

Then tnsping test:

01

oracle@host-a[orcl]:~$ tnsping ORCL

02

03

TNS Ping Utility for linux:version 11.1.0.7.0-production on 05-jul-2010 09:13:25

04

05

Copyright (c) 1997, 2008, Oracle. All rights reserved.

06

07

Used parameter files:

08

09

10

Used TNSNAMES Adapter to resolve the alias

11

Attempting to Contacts (description= (Enable=broken) (address_list= (Failover=on) (Load_balance=yes) (ADDRESS= =TCP) (Host=localhost) (port=8000))) (Connect_data= (SID=ORCL)))

12

OK (msec)

Done.

Task two: Reverse port forwarding

Since the domain prod cannot access the domain office in any way, assuming that the physical location of the two domains is completely different, then what happens when the day is in the domain prod and wants to manipulate host A in the domain office? This is the time to use the reverse port forwarding.

The basic idea of reverse port forwarding is to establish the SSH connection from host A to host C while opening a port on host C to reverse connect to a port above Host B, of course, from the host control above to connect to the Host B (SSH port) is the most affordable, Now all you have to do is run the following command on host a:

1

Ssh-r 8888:localhosthost-b.office.mycompany.com:22 Oracle@host-c.prod.mycompany.com-n

In the same way, explain the above command first:

Parameter-R

Create a reverse port forwarding, followed by the following parameter format::, the port listening here is 8888, the reverse connection to the C host to the original can not access the Host B 22 Port.

Oracle@host-c.prod.mycompany.com

This parameter specifies the host to use SSH to log in and the user name to log in, where the host and the host in the previous argument must be in the same domain and be able to access each other, and of course, the same machine.

Parameter-N

Remote commands are not executed. This parameter is optional here.

After the successful execution of the above command on host A, you can log on to the host C to check the effect, first of all, check the development status of Port 8888:

1

oracle@host-c:~$ NETSTAT-NATP |grep 8888

2

(No info could be read for "-P": Geteuid () =1001 but you should is root.)

3

TCP 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN-

4

TCP6 0 0:: 1:8888:::* LISTEN-

Then you test the availability of this port, and execute the following command:

1

oracle@host-c:~$ ssh-p 8888 Oracle@localhost

2

Password:

3

Last Login:mon June 5 02:34:50 from 172.24.43.103

4

5

oracle@host-b.office$ hostname

6

Host-b.office.mycompany.com

7

oracle@host-b.office$

It is now successful to use the only open SSH port to establish a connection that would otherwise have been completely impossible. This method is very useful, when the specific use depends on everyone's play.

Task three: Dynamic port forwarding

Dynamic port forwarding is actually to establish an SSH encrypted SOCKS4/5 proxy channel, any program that supports SOCKS4/5 protocol can use this encrypted channel for proxy access, now this method most commonly used is to turn over the wall, the method is very simple, the command is as follows:

1

ssh-d 8888 Username@proxyhost.mycompany.com-n

Command explanation:

Parameter-D

Establish a dynamic SOCKS4/5 proxy channel, followed by the local listener port number.

Username@proxyhost.mycompany.com

This parameter specifies the host to use SSH to log in and the user name to log in, where the host and the host in the previous argument must be in the same domain and be able to access each other, and of course, the same machine.

Parameter-N

Remote commands are not executed. This parameter is optional here.

Because this method does not have any help to the office, therefore also does not say more.

Summary: On the above is the Linux system in the SSH port forwarding, there are three ways to use the communication; These three methods make us communicate with other ports more orderly, so users understand the SSH port knowledge!