Ssh port forwarding details
Ssh is a multi-purpose tool. It not only supports remote logon, but also supports socks proxy and Intranet penetration. This is achieved through its port forwarding function.
The so-called ssh port forwarding refers to specifying a port of the ssh client or ssh server as the source address based on the ssh connection. All packets sent to this port will be forwarded through the ssh connection; the destination address of the forwarding can be specified or not specified. If the destination address is specified, it is called targeted forwarding. If the destination address is not specified, it is called dynamic forwarding:
- Targeted forwarding
Targeted forwarding forwards data packets to the specified destination address. The target address is not limited to ssh client or ssh server. It can be either one of the two or another machine other than the two.
- Dynamic forwarding
The target address is not specified for dynamic forwarding. The destination of data packet forwarding is dynamically determined.
Because ssh port forwarding is based on ssh connections, if the ssh connection is disconnected, the configured port forwarding will also stop.
Before configuring port forwarding, you must confirm that the ssh port forwarding function is enabled.
How does one enable ssh port forwarding?
The ssh port forwarding function is enabled by default. The switch that controls it is called AllowTcpForwarding, which is located in the configuration file/etc/ssh/sshd_config of the ssh server:
AllowTcpForwarding yes
If the modification takes effect, restart the sshd service.
How do I Configure port forwarding?
Before configuring port forwarding, pay attention to iptables settings to ensure that the corresponding port is not blocked. If you are in trouble, temporarily disable iptables:
# Service iptables stop
The methods for configuring targeted forwarding and dynamic forwarding are different.
Set targeted forwarding
Targeted forwarding can map an IP: Port to another IP: Port. both source and destination must be specified. The source address can be either a port of the ssh client or a port of the ssh server:
- If the source address is a Port of the ssh client, which is called Local Port Forwarding, packets sent to the Port specified by the ssh client are forwarded by the ssh server;
- If the source address is a Port of the ssh server, it is called Remote Port Forwarding. packets sent to the Port specified by the ssh server are forwarded by the ssh client.
Set local forwarding:
Let's take a look at the basic commands:
Run the following command on the ssh client:
{Ssh client} # ssh-g-N-f-o ServerAliveInterval = 60 \
-L <local port >:< remote host >:< remote port> username @ <ssh server>
The meanings of parameters are explained later.
For example, if you want to telnet to {remote host}, but you cannot connect directly, you can only connect directly to the ssh client, so I tried to use the {ssh client} to connect to the {ssh server} channel:
{You}-{ssh client}-{ssh server}-{remote host}
What we need to do is to execute the following command on {ssh client:
{Ssh client} # ssh-g-L 2323: <remote-host>: 23 username @ <ssh-server>
After the password is entered, just like a normal ssh Login, we enter the shell and can operate normally in the shell. The difference is that, it also maps port 2323 of {ssh client} to port 23 of {remote host}, that is, telnet port, then, execute "telnet <ssh client> 2323", which is equivalent to "telnet <remote-host>". As long as the shell does not exit, this targeted forwarding will always be effective.
- Note 1: If the above command does not include the "-g" option, the listening port 2323 on the SSH Client will be bound to 127.0.0.1, meaning that only the SSH Client can be connected. After the "-g" option is added, the SSH Client allows other machines on the network to connect to port 2323.
- Note 2: The above command will generate a shell, which sometimes does not meet our needs, because most of the time we only want a port forwarding function, hanging a shell is cumbersome, and the shell exits, port forwarding has also stopped. This is why we need the "-N-f" option:
-N tells the ssh client that this connection does not need to execute any command and only performs port forwarding.
-F tells the ssh client to run in the background
- NOTE 3: To avoid ssh connection disconnection due to long idle time, we can add the "-o ServerAliveInterval = 60" option to send a heartbeat signal to the ssh server every 60 seconds. The role of the TCPKeepAlive option is similar, but it is not as good as ServerAliveInterval. Because TCPKeepAlive works at the TCP layer and sends an empty tcp ack packet, it may be discarded by the firewall; while ServerAliveInterval works at the SSH layer, it is more reliable to send real data packets.
- If port forwarding is not set as root, the forwarding port must use a port number greater than 1024.
Set remote forwarding:
Let's take a look at the basic commands, which are divided into two parts:
On the ssh server:
Edit/etc/ssh/sshd_config, set the following content, and then restart the sshd service.
GatewayPorts yes
Run the following command on the ssh client:
{Ssh client} # ssh-f-N-o ServerAliveInterval = 60 \
-R <ssh server port >:< remote host >:< remote port> username @ <ssh server>
As shown in the following figure, if you want to connect to {remote host} via telnet, but the connection cannot be reached, try to use the {ssh server} to connect to {ssh client, note that the difference between local forwarding and local Forwarding is that in the case of local forwarding, you can only directly connect to the ssh client, but here you can only directly connect to the ssh server:
{You}-{ssh server}-{ssh client}-{remote host}
What we need to do is to execute the following command on {ssh client:
{Ssh client} # ssh-f-N-R 2323: <remote-host>: 23 username @ <ssh-server>
After the password is entered, port 2323 of {ssh server} is mapped to port 23 of {remote host}, that is, telnet port, then execute "telnet <ssh server> 2323", which is equivalent to "telnet <remote-host> ".
Differences between local and remote forwarding and applicable scenarios
Targeted Forwarding (including local and remote forwarding) is usually used for Intranet penetration. The difference between local forwarding and remote forwarding lies in whether the listening port is on an ssh client or an ssh server. Common use cases are:
- If the ssh client is in the Intranet and the ssh server is on the Internet, you can use remote forwarding to route machines on the Internet to the Intranet;
- If the ssh server is inside the Intranet and the ssh client is outside, you should use local forwarding if you want to enter the Intranet.
Set dynamic forwarding
The limitation of targeted Forwarding (including local and remote forwarding) Is that a target address must be specified. If we need to use an intermediate server to access many target addresses, it is obviously not a good solution to direct forwarding one by one, in this case, we need to use ssh dynamic port forwarding, which is equivalent to creating a SOCKS Server.
Let's take a look at the basic commands:
Run the following command on the ssh client:
{Ssh client} # ssh-f-N-o ServerAliveInterval = 60 \
-D <ssh client port> username @ <ssh server>
There are two common scenarios in actual use:
- You use your machine (127.0.0.1) as the sock5 Proxy Server:
{You/ssh client}-{ssh server}-{other hosts}
The command is as follows:
{Ssh client} # ssh-f-N-D 1080 username @ <ssh-server>
In this case, the socks5 Proxy Server is 127.0.0.1: 1080, which is only used by the ssh client.
Then you can set it in the browser or other software that supports socks5 proxy.
- The ssh client and ssh server are the same machine and act as the socks5 Proxy:
{You}-{ssh client/ssh server}-{other hosts}
The command is as follows:
{Ssh client} # ssh-f-N-g-D 1080 username@127.0.0.1
In this case, the socks5 Proxy Server we get is:
{Ssh client IP address}: 1080, which can be used by other machines on the network. You only need to connect to the ssh client.
SOCKS servers created through SSH use the SOCKS5 protocol. Pay attention when setting a sos5 proxy for applications.
You may also like the following SSH-related articles. For details, refer:
Complete SSH service configuration and troubleshooting in Ubuntu
How to install Samba and SSH server in Ubuntu 14.04
SSH service remote access to Linux Server login is slow
How to Improve the SSH login authentication speed of Ubuntu
Enable the SSH service to allow Android phones to remotely access Ubuntu 14.04
How to add dual authentication for SSH in Linux
Configure the SFTP environment for non-SSH users in Linux
This article permanently updates the link address: