SSH command: Tunnel proxy + Local port forwarding + remote port forwarding

Source: Internet
Author: User
Tags ldap vps ssh port ssh server

0. Preface

NC is a good tool for both ends of the network connection, but also a temporary port forwarding. (What is the permanent port forwarding?) With Iptables)

SSH is also a good tool in this area, the advantage is that encryption is reliable reusable at one end of the operation, at the cost of having a login account.

We know that SSH automatically encrypts and decrypts all network data between the SSH client and the server. However, SSH also provides a very useful feature, which is port forwarding. It can forward the network data of other TCP ports via SSH link, and provides the corresponding encryption and decryption service automatically.

1, Tunnel belt reason

Typical application: Over the high wall of China

Requirements: A foreign VPS, an account that does not require login (security), a command.

VPS New Account: Useradd-g nobody-s/sbin/nologin gfw && echo gfw_passw0rd | passwd--stdin GFW

Local SSH connection: ssh-nfd 6666 [email protected]-P 2222

Optional conversion: Use Privoxy to turn the SOCKS5 proxy into an HTTP proxy for use by tools such as Svn,pip,gem,curl.

2. Local Port forwarding

We can configure the application on the remote machine (ldapclienthost) directly to Port 7001 on this machine (not on port 389 of the LDAP server). You can set up a local port forwarding for SSH by executing the following command on Ldapclienthost, for example:

$ ssh-l 7001:localhost:389 Ldapserverhost

The following data flow will look like this:

    • Our app on Ldapclienthost sends data to the 7001 port on this machine,
    • The native SSH Client encrypts the data received on port 7001 and forwards it to the ldapserverthost ssh Server.
    • SSH Server decrypts the received data and forwards it to the listening LDAP 389 port.
    • The data returned from the LDAP is returned to the original path to complete the process.
3. Remote port forwarding

Our app on Ldapclienthost sends data to the 7001 port on this machine, and the native SSH Server encrypts the data received on port 7001 and forwards it to the ldapserverthost ssh Client.

Execute the following command on the LDAP server (ldapserverthost) side:

$ ssh-r 7001:localhost:389 Ldapclienthost

Difference:

SSH port forwarding naturally requires an SSH connection, and the SSH connection is directed, from the SSH Client to the SSH Server. And our application is also in the direction, such as the need to connect to LDAP server, LDAP server is naturally the server side, we apply the connection direction is from the client side of the application to connect to the server side of the application. If the two connections are in the same direction, then we'll say it's local forwarding. And if the two directions are inconsistent, we say it is remote forwarding.

4, using AUTOSSH anti-network jitter +supervisior process daemon.

AUTOSSH resolved issue: Remote port forwarding Once the port is difficult to establish again.

Autossh-m 1932-nr 1922:localhost:1122 user@vps-p 1122

PS can see the essence is this:

Ssh-l 1932:127.0.0.1:1932-r 1932:127.0.0.1:1933-nr 1922:localhost:1122-p 1122 User@vps

Analysis: Using the Loop, the local 1933 port, (remote forwarding) mapped to the remote 1932, (local forwarding) to the native 1932. Form loops.

Supervisior problem solved: autossh process Daemon

Therefore, use Supervisior daemon autossh,autossh to guard ssh. The purpose of automatic start and daemon port forwarding is reached.

5. Comprehensive use

Case one, how to 2222 port is blocked, if bypassing the firewall that blocked the 2222 port, SSH directly to the intranet machine. (That is, limited to a few ports)

1, login The most important machine to map 2222 port to 12222 Port:

SSH-GFNL 12222:0.0.0.0:2222 host-p2222

2, use the machine to do tunnel proxy access to other intranet machines:

SSH-NFD 10000 user@host-p2222

3. SSH bypass access to other intranet machines:

Ssh-o "Proxycommand=nc-x localhost:10000%h%p" user@host-p2222

The smart combination of SSH and NC, all Linux comes with tools, no dependencies.

Case two, with the help of a remote VPS to make a pair of machines can not be directly connected to each other access.

There is a host VPS and host A, B. A, B can not be directly connected, through the "intermediary" bridging. (Two machines can be active SSH to the VPS can be completed.) )

A to SSH to B (b to SSH to A is the same):

1, Host B with SSH remote forwarding their 2222 port to the 127.0.0.1:12222 of the VPS

SSH-NFR 12222:127.0.0.1:2222 user@vps-p2222

2, host A with SSH local forwarding VPS 127.0.0.1:12222 to the local 127.0.0.1:12222

SSH-NFL 12222:127.0.0.1:12222 user@vps-p2222

3, host a login Host B

SSH user@localhost-p12222

Reference:

Actual Combat SSH Port forwarding

https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/

Using supervisor Managed Shadowsocks

Https://blog.phpgao.com/supervisor_shadowsocks.html

SSH Reverse Connection and AUTOSSH

Http://www.cnblogs.com/eshizhan/archive/2012/07/16/2592902.html

SSH command: Tunnel proxy + Local port forwarding + remote port forwarding

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.