Background information:
Currently, there are several data centers on the line, the speed difference between different data centers is relatively large, we generally choose an optimal data center as a VPN access point.
But sometimes it is slow to access other data centers directly through the VPN, so it is temporarily resolved via SSH tunnel.
Application Scenario:
Direct access to the server Idc1-server1 quickly, but the direct access idc2-server2 is very slow, but idc1-server1 to Idc2-server2 is very fast;
So we're going to use the Idc1-server1 server as a springboard to connect Idc2-server2.
Ssh-i/path/to/sshkey-l username-f-n-t-L 8088:idc2-server2:80 idc1-server1
Direct access to http://localhost:8088 through the browser is equivalent to accessing the Http://idc2-server2
Key parameter Introduction:
-L 8088:IDC2-SERVER2:80
Forwards a local port to the specified port on the remote specified machine. It works by assigning a socket on the local machine to listen on the port, and once the port is connected, the connection is forwarded through a secure tunnel (idc1-server1), i.e.
localhost:8088-> (idc1-server1)-> idc2-server2:80;
Ssh-i/path/to/sshkey-l username-f-n-t-L 2022:idc2-server2:22 idc1-server1
The SCP enables you to transfer files through Idc1-server1 to Idc2-server2:
Scp-i/path/to/sshkey-p 2022 upload_file_name.tgz dong@localhost:/path/to/upload/
Assume
The client on the public net is 10.66.0.78 (in fact it is a private network IP),
The company has a public network exposed to the host, public network IP is 10.66.0.190 (of course, in fact, this is still a private network IP), the company's private network of IP is 192.168.200.20,
The host I really want to log in to at the company is 192.168.200.100.
Then I can do the following
Method 1
Executing on the 10.66.0.190
[root@dhcp-0-190 ~]# ssh-nf-l 10.66.0.190:10000:localhost:22 192.168.200.100
Method 2
A. Modify the configuration file on the 10.66.0.190/etc/ssh/sshd_config
Open
Gatewayports Yes
Then reload the sshd configuration
[root@dhcp-0-190 ~]# Service sshd Reload
Reloading sshd: [OK]
B. Then execute on the 192.168.200.100
[Root@localhost ~]# ssh-nf-r 10.66.0.190:10000:192.168.200.100:22 192.168.200.20
Then we can connect the 192.168.200.100 22 port by accessing the 10.66.0.190:10000 port on the public network.
Security Factors
Look at me. 2 of the above commands
# ssh-nf-l 10000:localhost:80 209.132.177.100
# ssh-nf-l 10.66.0.190:10000:localhost:22 192.168.200.100
Then look at the SSH tunnel use case
-L [Bind_address:]port:host:hostport
Bind_address default is 127.0.0.1
format is
[Listening IP to open:] The listening port to be opened: The listening IP to be mapped to: The listening port to insinuate to
Why sometimes use locahost, sometimes with 10.66.0.190?
If the SSH tunnel open port only need to use, then let the port only in the Loop interface monitoring, if you need to let other machines share ssh tunnel open port, you need to let SSH in the access to the IP on the opening port.
In a word everywhere careful, set up security permissions to prevent intrusion.
Ssh tunnel can usually achieve 3 functions
1) Encrypted network transmission
2) bypassing the firewall
3 to connect the machines located in the WAN to the local area network