Rotten mud: Learning ssh tunneling applications, and learning ssh Tunneling

Rotten mud: Learning ssh tunneling applications, and learning ssh Tunneling

This document consistsIlanniwebProviding friendship sponsorship, first launchedThe world

For more articles, follow my ilanniweb.

In the previous articles about ssh, we only introduced the ssh login function. In fact, ssh functions are more than just these. In this article, we will introduce the functions of the ssh tunnel.

An ssh tunnel is also called an ssh port forwarding or an ssh tunnel. Here, we are collectively referred to as an ssh tunnel.

The ssh tunnel is divided into forward tunnel and reverse tunnel. We can use it as needed.

Next, we will introduce the forward and reverse tunneling. Due to the differences in the platform, we are divided into Linux and windows platforms.

I. ssh forward Tunnel

What is an ssh forward tunnel?

After the client connects to the server, it then mirrors the IP address and port that the server can access (including the server itself) to the client port.

In normal work, forward tunnel is the most commonly used method.

The command for the ssh forward tunnel is as follows:

Ssh-L clientC_IP: clientC_port: serverB_IP: serverB_port-p serverA_sshport username @ serverA_IP

The above command means to connect to the server serverA through ssh on the Client client, and then map the serverB_port on the server B to the clientC_port on the Client client.

That is to say, if we connect to the clientC_port of clientC, It is the port of serverB_port on server serverB.

Generally, the client clientC uses an intranet IP address within the company, while the servers serverA and serverB are in the IDC or ECS. Server serverA has a public IP address that can communicate with client clientC normally. Server serverB does not have a public IP address and cannot communicate directly with client clientC, but server serverA and server serverB communicate through the Intranet. Currently, client clientC is required to access the relevant ports of server B.

The client clientC, server serverA, and server serverB communicate as follows:

To meet the above requirements, we can use the ssh forward tunnel function. In order to see the actual effect, we use connecting to the backend mysql database as an example..The specific configurations are described as follows based on the operating platform.

1.1 Linux Configure ssh forward Tunnel

Configuring the ssh forward tunnel in Linux is relatively simple. simply use the preceding command. As follows:

Ssh-g-f-NL 192.168.7.7: 44010: 10.66.115.185: 3306-I/home/ilanni/id_dsa_1024_0601 ilanni@115.159.39.187

Ps-ef | grep 44010

The above command means to connect the server 115.159.39.187 through ssh on the host 192.168.7.7, and then map the port 3306 of the server 10.66.115.185, that is, the mysql port, to port 44010 of 192.168.7.7.

Now, in the LAN, as long as we connect to port 44010 of 192.168.7.7, we are actually connecting to port 3306 of 10.66.115.185.

Now let's test whether the connection is successful. On any machine in the same LAN as 192.168.7.7 that can connect to port 44010 of 192.168.7.7, use the mysql client as follows:

Note: the IP address and port must be 192.168.7.7 and 44010, and the user name and password must be the username and password corresponding to the mysql database.

From the above two figures, we can see that port 44010 connected to 192.168.7.7 is indeed port 3306 of 10.66.115.185. That is, the company connects to the back-end database in the IDC.

If the company has internal requirements for access to the backend database, we can only allow server serverA (115.159.39.187) to access server serverB (10.66.115.185) on server serverB (mysql database 10.66.115.185) port 3306 of Server Load balancer uses related security policies such as IPtables or mysql user authorization to the server serverA (115.159.39.187 ).

Then, access port 44010 on the server serverA (115.159.39.187), that is, 192.168.7.7.

With this operation, you can control the permissions of the backend mysql database within the company.

1.2 windows Configure ssh forward Tunnel

To configure an ssh forward tunnel in windows, we need to use client software related to ssh. Here I use xshell, of course, you can also use putty and other software.

Open xshell and create a new session to connect to serverA (115.159.39.187), as shown below:

Note: Enter the IP address of serverA.

The user entered here is the user of serverA.

This figure is very important because it is an ssh forward tunnel, so the Local type is selected.

The source host is the IP address of clientC (the IP address of the machine on which the source host is filled), and the listening port is the port mapped from serverB_Port of serverB to clientC. Note that the listening port can be customized as needed.

The target host is the IP address of serverB, and the target port is the serverB_Port port.

After the above configuration is complete, we connect to the local machine 192.168.1.180 to see if the server B serverB_Port can be correctly connected. As follows:

From the above figures, we can clearly see that the above configuration is correct.

Note: The ssh forward tunnel configuration in windows is different from that in Linux. If you want to use a tunnel after windows is correctly configured. The session connecting xshell to serverA cannot be closed. That is to say, the ssh session used by clientC to connect to serverA must be open all the time, and the ssh session will always exist even after the connection is normal. As follows:

Ii. ssh reverse tunnel

What is an ssh reverse tunnel?

After the client connects to the server, it then mirrors the IP address and port (including the client itself) that the client can access to the server port.

Ssh reverse tunnel application scenarios. For example, if your client is on the Intranet, you cannot directly access the client on the Internet. In this case, you can use reverse tunnel to connect to the client and access the client through the Internet.

The ssh reverse tunnel command is as follows:

Ssh-R serverA_IP: serverA_port: clientC_IP: clientC_port-p serverA_sshport username @ serverA_IP

The above command means to connect to the server serverA through ssh on the client Client client server Server, then, map the clientC_port of client clientC to the serverA_port on server serverA.

That is to say, if we connect to the serverA_port on the server serverB, It is the clientC_port of clientC. Data flow, as shown in:

Note: We recommend that you modify the ssh configuration file sshd_config of the serverA server and add GatewayPorts yes. Then restart the ssh service.

In this way, after the ssh reverse tunnel is established successfully, the port listening on the serverA server is all the addresses of the serverA server. As follows:

If this is not modified, the listening port on the serverA server will be 127.0.0.1. As follows:

2.1 Linux Configure ssh reverse tunnel

Configuring ssh reverse tunnel in Linux is relatively simple. simply use the preceding command. As follows:

Ssh-g-f-NR 115.159.39.187: 44010: 192.168.5.174: 3306-I/home/ilanni/id_dsa_1024_0601 ilanni@115.159.39.187

Ps-ef | grep 44010

The above command means to connect to the server 115.159.39.187 through ssh on the host 192.168.5.174, and then map port 3306 of the server 192.168.5.174, that is, port mysql, to port 44010 on the server 115.159.39.187.

That is to say, on the public network, as long as we connect port 44010 of 115.159.39.187, we are actually connecting port 3306 of 192.168.5.174.

For practical results, we now create a new ilanni database on 192.168.5.174. As follows:

Mysql-uroot-p123456

Create database ilanni;

Show databases;

Now we log on to the 115.159.39.187 server to view the information. As follows:

Netstat-tunlp

We can see that the 115.159.39.187 server is indeed listening to port 44010.

Next we connect to port 3306 of 192.168.5.4 on the 115.159.39.187 server. As follows:

Mysql-h127.0.0.1-P44010-uroot-p123456

Show databases;

We can see that port 44010 is connected to port 3306 of 192.168.5.4 on the 115.159.39.187 server.

2.2 windows Configure ssh reverse tunnel

Configure the ssh reverse tunnel in windows. Similar to configuring the ssh forward tunnel, you also need to use client software related to ssh. Here, I still use xshell.

Note: ssh reverse tunneling can be performed on any machine that can access the clientC_Port on the same LAN as clientC.

Open xshell and create a new session to connect to serverA (115.159.39.187), as shown below:

Note: Enter the IP address of serverA.

The user entered here is the user of serverA.

This figure is very important because it is an ssh reverse tunnel, so Remote is selected in this type.

The source host is filled with the serverA IP address, and the listening port is the clientC_Port mapped to the serverA port of clientC. Note that the listening port can be customized as needed.

The target host is the clientC IP address, and the target port is the clientC_Port port number.

Now we log on to the 115.159.39.187 server to view the information. As follows:

Netstat-tunlp

We can see that the 115.159.39.187 server is indeed listening to port 44010.

Next we connect to port 3306 of 192.168.5.4 on the 115.159.39.187 server. As follows:

Mysql-h127.0.0.1-P44010-uroot-p123456

Show databases;

We can see that port 44010 is connected to port 3306 of 192.168.5.4 on the 115.159.39.187 server.

Iii. Practical Application

The preceding section describes how to use the ssh direct and reverse tunneling. The following uses port 3306 of mysql as an example. Next I will introduce other usage scenarios of the ssh Tunnel based on actual work requirements.

3.1 Remote Desktop

The ssh tunnel can also be used as a proxy for Remote Desktop in windows and Linux.

The company provides the VPN service, but the vpn Server is in the DMZ fire zone of the network. The vpn Server can access machines in the lan, but the machines in the lan cannot access the vpn Server. Structure:

After the vpn Client is connected, we only need to connect to the DMZ server. We recommend that you use an ssh forward tunnel to connect to the lan machine specified by the tunnel.

As follows:

Ssh-g-f-N-L 7002: 192.168.5.140: 3389 wangxy@192.168.7.7

The preceding command maps port 3389 of 192.168.5.140 to port 7002 of 192.168.7.7. That is to say, now we connect port 7002 of 192.168.7.7 to port 3389 of 192.168.5.140 on the vpn Client. As follows:

We can see that the ssh forward tunnel has proxy Remote Desktop.

3.2 nginx Access

Currently, the company has a service serverB on its online ECS. The front-end uses nginx as the reverse proxy, and the backend uses nodejs. serverB only provides access to the ECS.

Currently, nginx on server B can be accessed within the company, and not all personnel in the company can access nginx. Only designated individuals can access nginx.

Analysis: If you want to allow the company to access nginx on server B, you only need to grant the public network IP access permission on server B.

However, if you want to control the access permission, you need to use the ssh forward tunnel.

Open a serverA on the ECS, and serverA can access the nginx of serverB (this access permission can be controlled through nginx or iptables ), serverA also opens the SSH port to the company's public IP address.

Then, create an ssh forward tunnel on any lanC in the company's intranet. This tunnel maps the nginx port of serverB to the PortC port on serverC.

In this case, we can control the access permissions of the PortC port on lanC (the access permission can be controlled through nginx or iptables) to meet the above requirements.

Now run the following command on lanC:

Ssh-g-f-NL 192.168.5.4: 8080: 10.104.13.164: 80-I id_dsa_1024_0601 ilanni@115.159.39.187

Ps-ef | grep 8080

The preceding command maps port 80 of 10.105.12.163 to port 8080 of 192.168.5.4 on the server 192.168.5.4 through 115.159.44.136.

The nginx configuration of lanC is as follows:

Server {

Listen 80;

Server_name 192.168.5.4;

Allow 127.0.0.1;

Allow 192.168.5.140;

Deny all;

Location /{

Proxy_pass http: // 192.168.5.4: 8080;

Proxy_http_version 1.1;

Proxy_set_header Upgrade $ http_upgrade;

Proxy_set_header Connection $ connection_upgrade;

Proxy_connect_timeout 200;

Proxy_send_timeouts 200;

Proxy_read_timeout 600;

}

}

The above nginx configuration allows the host 192.168.5.140 to access port 80 of 192.168.5.4, and 192.168.5.4 will send the request for access to 192.168.5.4: 80 to 192.168.5.4: 8080 for processing.

In this way, the above requirements are met.

Access Port 80 of 192.168.5.4 on 192.168.5.140. As follows:

We can see that the ssh forward tunnel can proxy nginx.

Ssh 3.3 Multi-level tunnel jump

Multi-level ssh tunnel jump seems very difficult. In fact, it is very easy to split it down.

Below is a practical requirement. Let's analyze it.

Overview:

ServerC only allows serverB to connect to port 1001 of serverC. Other ports do not allow serverB to connect, while serverB only allows serverA to connect to port 22 of serverB and port 1001 of serverC, at the same time, serverA is only open to the public network for ssh port 22 and other ports are not open to the public network.

Requirements:

Currently, the clientC in the lan must be able to connect to port 1001 of serverC.

Analysis:

If we direct port 1001 of serverC, It is impossible because of security policy restrictions. We can solve this problem through ssh forward tunnel.

First, create an ssh forward tunnel through serverB on serverA to map port 1001 of serverC to port 1002 of serverA.

That is, port 1002 accessing serverA is port 1001 accessing serverC.

Because port 1002 of serverA is not open to the public network, in order to access port 1002 of serverA, in clientC, we can create an ssh forward tunnel through serverA to map port 1002 of serverA to port 1003 of clientC.

That is to say, port 1003 connecting to clientC is actually connecting to port 1001 of serverC.

The above ssh multi-level tunnel jump principle is clearly described, and will not be demonstrated in the next time. If any one doesn't understand it, you can understand the above description.