Linux port ing

Linux port ing 01ssh-C-groot@127.0.0.1-L5000: 61.235.139.123: 50000203 # enter the root password of the machine 0405 # Background execution: 06ssh-C-f-N-groot@127.0.0.1-L5000: 61.235.139.123: 50000708 # another: 0910 linux port ing 01ssh-C-g root@127.0.0.1-L 5000: 61.235.139.123: 500002 03 # enter the root password of the machine 04 05 # Background execution: 06ssh-C-f-N-g root@127.0.0.1-L 5000: 61.235.139.123: 500007 08 # Another: 09 10ssh-C-f-N-g-R remote_port: local: port user @ remotehost can bind a remote server port remote_port to the local end Port, where-C is for data compression,-f is for background operations, only when the user name and password are prompted to switch to the front. -N is not used to execute remote commands. This command is useful when only port forwarding is performed. -G allows the remote host to connect to the local forwarding port. -R indicates that the remote host port is mapped to the local port. If it is-L, the local port is mapped to the remote host port. Three powerful port forwarding commands of ssh: 1ssh-C-f-N-g-L listen_port: DST_Host: DST_port user @ Tunnel_Host2ssh-C-f-N-g-R listen_port: DST_Host: DST_port user @ Tunnel_Host3ssh-C-f-N-g-D listen_portuser @ Tunnel_Host-f Fork into background after authentication. the user/password for background authentication, usually used with-N. you do not need to log on to the remote host. -P port Connect to this port. Server must be on the same port. the sshd service port of the logged-on ssd Server. -L port: host: hostport forwards a port of the local machine (client) to a specified port of the remote machine. the working principle is as follows: a socket listening port is allocated on the local machine. Once a connection is established on the port, the connection is forwarded through a secure channel, at the same time, the remote host establishes a connection with the host's hostport. you can specify port forwarding in the configuration file. only the root user can forward the privileged port. the IPv6 address is in another format: port/host/hostport-R port: host: hostport. the working principle is as follows: a socket listening port is assigned to the remote host. Once a connection is established on the port, the connection goes through the secure channel, establish a connection between the local host and the host's hostport. you can specify port forwarding in the configuration file. only You can use root to log on to the remote host to forward privileged ports. the IPv6 address is in another format: port/host/hostport-D port specifies a local machine "dynamic'' application port forwarding. the working principle is as follows: a socket listening port is allocated on the local machine. Once a connection is established on the port, the connection is forwarded through a secure channel, based on the application protocol, you can determine where the remote host will be connected. currently, the SOCKS4 protocol is supported and will act as the SOCKS4 server. only the root user can forward the privileged port. you can specify dynamic port forwarding in the configuration file. -C Enable compression. compressed data transmission. -N Do not execute a shell or command. Do not execute scripts or commands, usually used with-f. -G Allow remote hosts to connect to forwarded ports. in the-L/-R/-D parameter, the remote host is allowed to connect to the forwarding port established. If this parameter is not added, only the local host is allowed to establish a connection. Note: this parameter does not seem to work in practice. see III) iptables implements port forwarding. we have a computer with two NICs and eth0 connects to the Internet, the ip address is 1.2.3.4; the eth1 is connected to the intranet, and the ip address is 192.168.0.1. now we need to forward the IP packet sent to Port 81 of the IP address 1.2.3.4 to Port 8180 of the IP address 192.168.0.2. The settings are as follows: 1. iptables-t nat-a prerouting-d 1.2.3.4-p tcp-m tcp -- dport 81-j DNAT -- to-destination192.168.0.2: 8180 2. iptables-t nat-a postrouting-s 192.168.0.0/255.255.0.0-d 192.168.0.2-p tcp-m tcp -- dport 8180-j SNAT -- to-source 192.168. 0.1 the actual transmission process is as follows: assume that the IP address of a client is 6.7.8.9, it uses port 1080 of the local machine to connect to port 81 of port 1.2.3.4, the source IP address of the sent IP package is 6.7.8.9, and the source port is 1080, the destination address is 1.2.3.4 and the destination port is 81. after the master machine 1.2.3.4 receives the packet, change the destination address of the IP package to 192.168.0.2 and the destination port to 8180 according to the first rule in the nat table, at the same time, create an entry in the connection tracing table (which can be seen in the/proc/net/ip_conntrack file), and then send it to the routing module to check the route table, confirm that the IP package should be sent to the eth1 interface. before sending the IP packet to the eth1 interface, according to the second rule in the nat table, if the IP packet comes from the same subnet, the source address of the IP packet is changed to 192.168.0.1, update the corresponding entries in the connection trace table and send them to the eth1 interface. in this case, there is a connection entry in the connection tracking table: src = 6.7.8.9 dst = 1.2.3.4 sport = 1080 dport = 81 connection return: src = 192.168.0.2 dst = 6.7.8.9 sport = 8180 dport = 1080 use: use = 1 and IP packet sent back from 192.168.0.2, source port is 8180, the destination address is 6.7.8.9, and the destination port is 1080. after the TCP/IP stack of host 1.2.3.4 receives the IP packet, check whether the connection return column in the connection tracking table matches the same source and destination addresses and ports, change the source address of the IP package from 192.168.0.2 to 1.2.3.4 and the source port from 8180 to 81 based on the record in the entry, and keep the destination port 1080 unchanged. in this way, the server's return packet can correctly return the client initiating the connection, and the communication starts like this. also, in the filter table, Port 8180 of 192.168.0.2 address should be allowed to be connected from eth0: iptables-a input-d 192.168. 0.2-p tcp-m tcp -- dport 8180-I eth0-j ACCEPT detailed steps of port ing on linux are searched on the Internet, and Port ing configured on linux is not detailed enough, I configured port ing with iptables on RedHat8.0 to describe the detailed configuration process for your reference. [Function] pc a is eth0 172.18.10.212 intranet eth1 219.239.xx.xx Internet pc B is 172.18.10.205 intranet A's port 8080 mapped to port 80 of port B [step] 1. first, do/etc /sysctl. net. ipv4.ip _ forward = 1 the default value is 0, which allows iptalbes FORWARD. 2. in/etc/rc. d/init. the d directory contains the iptables file in the following format :. /iptables {start | stop | restart | condrestart | status | panic | save} is equivalent to service iptables {....} stop the iptables service, clear the previous rules, and save the disk to/etc/rc. d/init. run. /iptables stop iptalbes-F iptalbes-X iptalbes-Z. /iptables save 3. reconfigure the rules iptables-t nat-a prerouting-d 219.239.xx.xx-p tcp -- dport 8080-j DNAT -- to-destination 172.18.10.205: 80 iptables-t nat-A POSTR OUTING-d 172.18.10.205-p tcp -- dport 80-j SNAT -- to 172.18.10.212 iptables-a forward-o eth0-d 172.18.10.205-p tcp -- dport 80-j ACCEPT iptables-A FORWARD- I eth0-s 172.18.10.205-p tcp -- sport 80-j ACCEPT DNAT SNAT please refer to help, this is not stated here. 4. new rules are stored. the/iptables save rule is stored on the disk in the/etc/sysconfig/iptables file. if you are familiar with this file, directly modifying the content here is also equal to the command line input rule. 5. start the iptables service. /iptables start contains the package flow in the/proc/net/ip_conntrack file, for example, tcp 6 53 TIME_WAIT src = 221.122.59.2 dst = transport sport = 7958 dport = 8080 packets = 9 bytes = 1753 src = 172.18.10.205 dst = 172.18.10.212 sport = 80 dport = 7958 packets = 9 bytes = 5777 [ASSURED] use = 1