Port mappings, including local port mappings and remote port mappings. This article describes two possible approaches: iptables and SSH. Here's how to use both methods.
Local Host IP a:192.168.1.119
Remote host IP b:192.168.1.120
Method
1:ssh Way:
-N does not execute remote commands. Used to turn the port of the originator. (Agreement only second edition)
-L Port:host:hostport
Forwards a port on the local machine (client) to the specified port on the remote specified machine. How it works is that a socket is assigned to listen on the local machine.
Port ports, once a connection is made to the port, the connection is forwarded through a secure channel, while the remote host and the host's Hostport port establish a connection.
You can specify the forwarding of ports in the configuration file. Only Root can forward privileged ports. The IPV6 address is described in another format: Port/host/hostport
-R Port:host:hostport
Forwards a port on a remote host (server) to the specified port on the local-side specified machine. How it works is that a socket is allocated on the remote host to listen
Port ports, once a connection is made on this port, the connection is diverted through a secure channel, while the local host and host Hostport ports are connected.
You can specify the forwarding of ports in the configuration file. You must log on to a remote host with Root to forward privileged ports. The IPV6 address is described in a different format:
Port/host/hostport
1.1: Use the-R parameter:
Remote mapping : Ssh-n-R 9876:127.0.0.1:22192.168.1.120, meaning the remote host port (9876) port is mapped to a local port on the local host host (192.168.1.119) Hostport (22) above. 192.168.1.120 is the remote host that is accessed when the command is lost. Because a remote host listens on port 9876, a remote host accessing port 9876 is equivalent to accessing the 192.168.1.119 22 port.
Test results:
A (119):
[Root:user] Ssh-n-R 9876:127.0.0.1:22 192.168.1.120
Root@192.168.1.120 ' s Password:
B (120):
<user:work> ssh 127.0.0.1-p 9876
user@127.0.0.1 ' s Password:
Linux Debian 3.2.0-3-686-pae #1 SMP Thu June 08:56:46 UTC i686
The programs included with the Debian Gnu/linux system are free software;
The exact distribution terms for each program are described in the
Individual files In/usr/share/doc/*/copyright.
Debian Gnu/linux comes with absolutely No. WARRANTY, to the extent
permitted by applicable.
Last login:wed Oct 19:12:53 2013 from Debian.local
[user:~] Ifconfig
Eth0 Link encap:ethernet hwaddr 08:00:27:e4:81:9d
inet addr:192.168.1.119 bcast:192.168.255.255 mask:255.255.0.0 #120已经成功访问到119机器
Inet6 ADDR:FE80::A00:27FF:FEE4:819D/64 Scope:link
Up broadcast RUNNING multicast mtu:1500 metric:1
RX packets:2527825 errors:0 dropped:0 overruns:0 frame:0
TX packets:2946303 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1142752654 (1.0 GiB) TX bytes:3537921035 (3.2 GiB)
Lo Link encap:local Loopback
inet addr:127.0.0.1 mask:255.0.0.0
Inet6 addr::: 1/128 scope:host
Up loopback RUNNING mtu:16436 metric:1
RX packets:3658 errors:0 dropped:0 overruns:0 frame:0
TX packets:3658 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:492528 (480.9 KiB) TX bytes:492528 (480.9 KiB)
[user:~]
Local Mappings : similarly: ssh-n-R 9876:127.0.0.1:22127.0.0.1, meaning that the remote host port (9876) port is mapped to the local port Hostport of the local host host (192.168.1.119) ( 22 above. 127.0.0.1 is the remote host (in fact, native IP) that is accessed when the command is lost.
Test results:
A (119):
[Root:user] Ssh-n-R 9876:127.0.0.1:22 127.0.0.1
root@127.0.0.1 ' s Password:
A (120)
[User:work] SSH 127.0.0.1-p 9876
Ssh:connect to host 127.0.0.1 Port 9876:connection refused
[User:work] SSH 127.0.0.1-p 9876
Linux Debian 3.2.0-3-686-pae #1 SMP Thu June 08:56:46 UTC i686
The programs included with the Debian Gnu/linux system are free software;
The exact distribution terms for each program are described in the
Individual files In/usr/share/doc/*/copyright.
Debian Gnu/linux comes with absolutely No. WARRANTY, to the extent
permitted by applicable.
Last login:wed Oct 19:29:00 2013 from localhost
[user:~] #已经成功登陆到shell, from the/work directory into the user's root directory
1.2: Use the-l parameter:
Remote mapping : Ssh-n-L 9876:192.168.1.120:22127.0.0.1, meaning to map the local host port (9876) port to the remote port of the remote host host (192.168.1.120) Hostport (22) above. 192.168.1.119 is the local host that was bundled when the command was lost. Because the local host listens on port 9876, the local host accessing port 9876 is equivalent to accessing the 192.168.1.120 22 port.
Test results:
A (119):
[Root:user] Ssh-n-L 9876:192.168.1.120:22 127.0.0.1
root@127.0.0.1 ' s Password:
A (119):
[user:~] SSH 127.0.0.1-p 9876
user@127.0.0.1 ' s Password:
Linux Debian 3.2.0-3-686-pae #1 SMP Thu June 08:56:46 UTC i686
The programs included with the Debian Gnu/linux system are free software;
The exact distribution terms for each program are described in the
Individual files In/usr/share/doc/*/copyright.
Debian Gnu/linux comes with absolutely No. WARRANTY, to the extent
permitted by applicable.
Last login:wed Oct 19:45:30 2013 from Debian.local
<user:~> ifconfig
Eth0 Link encap:ethernet hwaddr 08:00:27:e4:81:9d
inet addr:192.168.1.120 bcast:192.168.255.255 mask:255.255.0.0 #119已经成功访问到120机器
Inet6 ADDR:FE80::A00:27FF:FEE4:819D/64 Scope:link
Up broadcast RUNNING multicast mtu:1500 metric:1
RX packets:13528 errors:0 dropped:0 overruns:0 frame:0
TX packets:1731 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1304332 (1.2 MiB) TX bytes:331565 (323.7 KiB)
Lo Link encap:local Loopback
inet addr:127.0.0.1 mask:255.0.0.0
Inet6 addr::: 1/128 scope:host
Up loopback RUNNING mtu:16436 metric:1
RX packets:774 errors:0 dropped:0 overruns:0 frame:0
TX packets:774 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:104032 (101.5 KiB) TX bytes:104032 (101.5 KiB)
<user:~>
Local mapping : Similarly, there is no more to say, we can try it on their own.
2:iptables Way:
Transfer the TCP connection to Port 9876 to the local 22 port. This requirement can be met by using Dnat (destination network address translation) technology.
Because Iptables has different ways of handling local and remote connections, it needs to be handled separately. 2.1: Remote connection
A remote connection is a connection to this machine by another machine. This kind of connected packets will first pass through the prerouting chain in the iptables, so just make Dnat in the prerouting chain.
# iptables-t nat-a prerouting-p tcp-i eth0-d 192.168.1.119--dport 9876-j dnat--to 192.168.1.120:22 2.2: Local connection
A local connection refers to a port on this computer that uses 127.0.0.1 or native IP to access this computer. Locally connected packets are not passed through the NIC, but are processed by the kernel and sent directly to the local process. This kind of data packet only passes through the OUTPUT chain in the iptables, but does not pass through the prerouting chain. So it needs to be dnat in the OUTPUT chain. In addition to 127.0.0.1, access to native IP (i.e. 192.168.1.119) is also a local connection.
# iptables-t nat-a output-p tcp-d 127.0.0.1--dport 9876-j dnat--to 127.0.0.1:22
# iptables-t nat-a output-p tcp-d 192.168.1.119--dport 9876-j dnat--to 127.0.0.1:22
Test results:
A (119):
[ROOT:SRC]
[ROOT:SRC] iptables-l-t Nat-n
Chain prerouting (Policy ACCEPT)
Target Prot opt source destination
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
Chain postrouting (Policy ACCEPT)
Target Prot opt source destination
[ROOT:SRC] iptables-t nat-a output-p tcp-d 127.0.0.1--dport 9876-j dnat--to
[ROOT:SRC] iptables-t nat-a output-p tcp-d 192.168.1.119--dport 9876-j dnat--to
[ROOT:SRC] iptables-l-t Nat-n
Chain prerouting (Policy ACCEPT)
Target Prot opt source destination
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
Dnat TCP--0.0.0.0/0 127.0.0.1 TCP dpt:9876 to:127.0.0.1:22
Dnat TCP--0.0.0.0/0 192.168.1.119 TCP dpt:9876 to:127.0.0.1:22
Chain postrouting (Policy ACCEPT)
Target Prot opt source destination
[ROOT:SRC]
A (119):
[USER:SRC]
[USER:SRC] SSH 192.168.1.119-p 9876
Linux Debian 3.2.0-3-686-pae #1 SMP Thu June 08:56:46 UTC i686
The programs included with the Debian Gnu/linux system are free software;
The exact distribution terms for each program are described in the
Individual files In/usr/share/doc/*/copyright.
Debian Gnu/linux comes with absolutely No. WARRANTY, to the extent
permitted by applicable.
Last login:wed Oct 19:33:43 2013 from localhost
[user:~] Log out
Connection to 192.168.1.119 closed.
[USER:SRC] SSH 127.0.0.1-p 9876
Linux Debian 3.2.0-3-686-pae #1 SMP Thu June 08:56:46 UTC i686
The programs included with the Debian Gnu/linux system are free software;
The exact distribution terms for each program are described in the
Individual files In/usr/share/doc/*/copyright.
Debian Gnu/linux comes with absolutely NO WARRANTY, to the extent
permitted by applicable.
Last login:wed Oct 20:12:54 2013 from Debian.local
[user:~] logout
Connection to 127.0.0.1 closed.
[USER:SRC]