SSH port forwarding details and Instances

SSH port forwarding details and Instances
I. Introduction to SSH port forwarding

SSH automatically encrypts and decrypts network data between all SSH clients and the server. However, SSH can also forward network data from other TCP ports through SSH links, and automatically provides the corresponding encryption and decryption services. This process is also called"Tunnel"(Tunneling), this is because SSH provides a secure channel for other TCP links for transmission. For example, TCP applications such as Telnet, SMTP, and LDAP can benefit from this, avoiding plaintext transmission of user names, passwords, and private information. At the same time, if the firewall in the work environment limits the use of some network ports, but allows SSH connections, it can also forward TCP ports to use SSH for communication.

1.1 two functions of SSH port forwarding

• Encrypt the communication data between the SSH Client and the SSH Server.
• Breaking through the firewall makes some TCP connections that cannot be established before.

 

Ii. Local forwarding

Command:-L localport: remotehost: remotehostport sshserver

Note:Port Number enabled on the local machine for localport

Remotehost: IP address of the final connection machine

Remotehostport: the port number of the forwarding machine.

IP address of the forwarding Server

Option:-F enabled in the background

-N: the remote shell is not enabled and is in the waiting state. (If-N is not added, log in directly)

-G: Enable the gateway function

Next, we will explain in detail how to implement local forwarding through experiments:

Experiment 1: Implement SSH port forwarding-local forwarding

• Background:Internal Enterprise C server only allows access through telnet (port 23), but does not allow direct external access. Server B is an ssh server. A user needs to connect to Internal Enterprise C server from outside.
• Prerequisites:The firewall allows port 22 to come in (or there is a bastion host in the enterprise and ssh-t to go in through the bastion host ).
• Principle:User A connects to machine B through ssh protocol, and then uses machine B as A stepping stone to connect to machine C.
• MACHINE:Rhel5 simulates user A, centos6 simulates machine B, and centos7 simulates machine C
• The figure is as follows:

• Tutorial steps:

1) User A is not allowed to connect to the simulated machine C, and the telnet service port 23 of the machine B is enabled.

Enter the following password on centos7:

Iptables-a input-s 192.168.191.55-j REJECT

In this case, connecting to centos7 using the ssh command from rhel5 is rejected:

At the same time, we also need to enable telnet service port 23 on port 7:

Systemctl start telnet. soc ket

UseSs-ntlCommand to check whether the service port is enabled

2) enable port forwarding (telnet tunnel)

First, confirm the enabled ports on machine 5:

 

The port we use is port 9527, from which we can see that port 9527 is not occupied, so we can use ~

Next, create a local forwarding tunnel (enter the following command on 5 ):

Ssh-L 9527: 192.168.191.77: 23-fN 192.168.191.66

Here, we can usePs auxTo query the processes running in the background. You can also useSs-ntView the interface connection status:

3) run the following command on rhel5 to connect to yourself through port 9527:

Telnet fig 9527

In this case, we can check the connection between centos6 and centos7:

So far, we have achieved the requirement that user A remotely connects to machine C outside the company. Next we will talk about the implementation process:

Data <--> localhost: 9527 port <-> localhost: XXXXX (open a port at random on client 6) <--> sshsrv: 22 (encapsulated by ssh) <-> sshsrv: YYYYY (the server unpacks and opens a port, representing the telnet client) <-> telnetsrv: 23

In the vernacular, when rhel5 (User A) connects to port 9527, the request is naturally sent to centos6 (server B) through the ssh protocol encapsulation ), then, it is encapsulated on centos6 (machine C) to form telnet traffic and sent to centos7 (machine C ).

After the experiment is complete, if we want to stop this tunnel, we can directly kill the background tunnel process. The command is as follows:

Killall ssh

Our experiment was successfully completed

 

Iii. Remote forwarding

In the scenario of experiment 1, the first thing we need to do is to enable port 22 on the firewall. However, in real life, enterprises are in security concerns and generally do not enable the firewall, only allow and not allow inbound. So what should we do when the firewall port is not opened? This requires the following remote forwarding:

Command:-R sshserverport: remotehost: remotehostport sshserver

Note:Port Number enabled by the forwarding machine of sshserverport

Remotehost: IP address of the final connection machine

The Port Number of the machine to which the remotehostport is forwarded

IP address of the forwarding Server

Similarly, we will illustrate our remote forwarding through experiments:

Experiment 2. Implement SSH port forwarding-remote forwarding

• Background:Internal Enterprise C server only allows access through telnet (port 23), but does not allow direct external access. Server B is an ssh server. A user needs to connect to Internal Enterprise C server from outside.
• Principle:Machine B accesses user A and forwards it to user
• MACHINE:Rhel5 simulates user A, centos6 simulates machine B, and centos7 simulates machine C
• The figure is as follows:

• Tutorial steps:

1) User A is not allowed to connect to the simulated machine C, and the telnet service port 23 of the machine B is enabled.

Enter the following password on centos7:

Iptables-a input-s 192.168.191.55-j REJECT

In this case, connecting to centos7 using the ssh command from rhel5 is rejected:

At the same time, we also need to enable telnet service port 23 on port 7:

Systemctl start telnet. soc ket

UseSs-ntlCommand to check whether the service port is enabled

2) Enable tunnel Forwarding (telnet tunnel)

This time, because the firewall is completely disabled and external devices cannot be connected, we need to connect to user A's machine through machine B. Therefore, to enable tunnel, run the following command on machine B (centos6:

First, determine which ports are enabled on centos6:

Then, we select an unopened port to open the tunnel for the experiment:

Similarly, here we can usePs auxTo query the processes running in the background. You can also useSs-ntView the interface connection status:

3) run the following command on rhel5 to connect to yourself through port 9527:

Telnet fig 9527

In this case, we can check the connection between centos6 and centos7:

So far, we have achieved the requirement that user A remotely connects to machine C outside the company. Next we will talk about the implementation process:

Data <-> sshsrv: 9527 port <-> sshsrv: 22 (encapsulated by ssh) <-> localhost: XXXXX (random port on client 6) <-> localhost: YYYYY (the server unpacks and opens a port, representing the telnet client) <-> telnetsrv: 23

In the vernacular, when rhel5 (User A) connects to port 9527, the request is naturally sent to centos6 (server B) through the ssh protocol encapsulation ), then, it is encapsulated on centos6 (machine C) to form telnet traffic and sent to centos7 (machine C ).

After the experiment is complete, if we want to stop this tunnel, we can directly kill the background tunnel process. The command is as follows:

Killall ssh

Our experiment was successfully completed

 

4. Dynamic forwarding

As we all know, China has a powerful firewall to prevent us from accessing some foreign websites such as Google, um... There are many FQ methods. I believe that you do not know much about FQ, so we will not illustrate them one by one. Next, let's talk about how to implement FQ through ssh forwarding technology ~

Here, we will use our dynamic forwarding technology:

When firefox is used to access the internet, port 1080 of the local machine is used as the proxy server. firefox's access requests are forwarded to sshserver, and sshserver accesses the internet.

Next, we will illustrate the experiment:

Experiment 3. Implement SSH port forwarding-dynamic forwarding

• Background:The simulated Google server C does not allow direct access from Chinese website A. Server B is A foreign small learning server. Chinese website A can access foreign learning server B; implement A simulated Google server C for access to website A in China.
• Principle:The Chinese website A connects to the foreign study server B through the ssh protocol, and then uses the foreign study server B as A stepping stone to connect to the Google server C.
• MACHINE:Centos6 simulates Chinese website A, rhel5 simulates foreign learning server B, centos7 simulates Google server C
• The figure is as follows:

• Tutorial steps:

1) Build a webpage on the simulated google server C and access centos7 from the Internet, the page displays "Welcome to www.google.com"

The command is as follows:

[root@centos7 ~]# cd /var/www/html/[root@centos7 html]# vim index.html
After writing the file, restart the httpd service:
[root@centos7 html]# systemctl restart httpd 
2) Simulated Google server C does not allow domestic website A connection
Enter the following password on centos7:
[Root @ centos7 ~] # Iptables-a input-s 192.168.191.66-j REJECT 
Now, let's test whether centos6 and rhel5 can access centos7. The command is:
Curl 192.168.191.77OrLinks 192.168.191.77 
[root@rhel5 ~]# curl 192.168.191.77
It can be seen that rhel5 can be connected to centos7, but centos6 cannot be connected to centos7. Our current requirement is that centos6 can access centos7 through rhel5. The method is also very simple. Let's talk about it.
3) dynamic port forwarding
First, confirm the enabled ports on machine 6:

We use port 1080, from which we can see that port 1080 is not occupied, so we can use ~
Next we will establish a dynamic forwarding tunnel (enter the following command on 6 ):
Ssh-D 1080-fN 192.168.191.55 

Here, we can view the centos6 connection on rhel5:

4) set the proxy rhel5 to access centos7. The command is as follows (input on centos6 ):
Curl -- socks5 127.0.0.1: 1080 http: // 192.168.191.77

5) on the graphical interface, set the proxy in the firefox browser on centos6:


Our experiment was successfully completed