The port mapping of computer program knowledge in Linux system

Source: Internet
Author: User
Tags socket ssh iptables port number server port

The knowledge that you want to understand Linux port mappings is actually very simple. So now let's take a look at the mystery of it!

01

Ssh-c-G root@127.0.0.1-l 5000:61.235.139.123:5000

02

03

#输入机器的root密码

04

05

#后台执行:

06

Ssh-c-f-n-G root@127.0.0.1-l 5000:61.235.139.123:5000

07

08

#另:

09

10

Ssh-c-f-n-g-r Remote_port:local:port user@remotehost

You can bind the remote server port Remote_port to the local port, where-c is data compression,-f is the background operation, only when the user name password is prompted to the foreground. -N is not a remote command, which is useful in the case of only port forwarding. -G allows the remote host to connect to the local forwarding port. -R indicates that the remote host port is mapped to a local port. If-l, the local port is mapped to the remote host port.

Three powerful port forwarding commands for SSH:

1

Ssh-c-f-n-g-l Listen_port:DST_Host:DST_port user@tunnel_host

2

Ssh-c-f-n-g-r Listen_port:DST_Host:DST_port user@tunnel_host

3

Ssh-c-f-n-g-d Listen_portuser@tunnel_host

-F Fork into background after authentication.

Background authenticated user/password, usually used with-N, do not log on to the remote host.

-P Port Connect to this port. The Server must is on the same port.

The SSHD service port of the logged on SSD server.

-L Port:host:hostport

Forwards a port on the local machine (client) to the specified port on the remote specified machine. How it works is that a socket on the local machine is assigned to listen on the port, and once connected on the port, the connection is forwarded through a secure channel, while the remote host and the host's Hostport port are connected. You can specify the forwarding of ports in the configuration file. Only Root can forward privileged ports. The IPV6 address is described in another format: Port/host/hostport

-R Port:host:hostport

Forwards a port on a remote host (server) to the specified port on the local-side specified machine. How it works is that a socket on the remote host is assigned to listen on port ports, and once a connection is made on the port, the connection is diverted through a secure channel, while the local host and host Hostport ports are connected. You can specify the forwarding of ports in the configuration file. You must log on to a remote host with Root to forward privileged ports. The IPV6 address is described in another format: Port/host/hostport

-D Port

Specifies a local machine "dynamic" Application port forwarding. How it works is that a socket on the local machine is assigned to listen to the port, and once a connection is made on the port, the connection is forwarded through a secure channel, depending on the protocol of the application to determine where the remote host will be connected. Currently supports the SOCKS4 protocol and will act as a SOCKS4 server. Only Root can forward privileged ports. You can specify the forwarding of dynamic ports in the configuration file.

-C Enable compression.

Compressed data transfer.

-N does not execute a shell or command.

Scripts or commands are not executed, and are usually used with-F.

-G Allow remote hosts to connect to forwarded ports.

In the-l/-r/-d parameter, the remote host is allowed to connect to the established forwarding port, and if this argument is not added, only the local host is allowed to establish a connection. Note: This parameter I do not always seem to work in practice, see III

Iptables the process of implementing port forwarding

We have a computer, there are two network cards, eth0 network, IP for 1.2.3.4;eth1 even intranet, IP for 192.168.0.1. It is now necessary to forward the IP packets destined for the 81 port of address 1.2.3.4 to the 8180 port of IP address 192.168.0.2, The settings are as follows:

1. Iptables-t nat-a prerouting-d 1.2.3.4-p tcp-m tcp--dport 81-j dnat--to-destination192.168.0.2:8180

2. Iptables-t nat-a postrouting-s 192.168.0.0/255.255.0.0-d 192.168.0.2-p tcp-m tcp--dport 8180-j SNAT 192.168.0.1

The real transfer process is as follows:

Assuming that the IP address of a client is 6.7.8.9, it uses the local 1080 port to connect the 1.2.3.4 81 port, the IP packet source address is 6.7, 8.9, the source port is 1080, the destination is 1.2.3.4, and the destination port is 81.

When the host 1.2.3.4 receives this package, the IP packet's destination address should be more than 192.168 0.2, and the destination port should be 8180, based on the first rule of the NAT table, and an entry is created in the Connection tracking table (available from the/PROC/NET/IP_ Conntrack file), it is then sent to the routing module, by Challo the table, to determine that the IP packet should be sent to the Eth1 interface. Before sending the IP packet to the Eth1 interface, according to the second rule of the NAT table, if the IP packet comes from the same subnet, the IP packet's source address should be more 192.168.0.1, updates the corresponding entry in the Connection tracking table and sends it to the Eth1 interface.

There is one entry in the Connection tracking table:

Connecting into: src=6.7.8.9 dst=1.2.3.4 sport=1080 dport=81

Connection return: src=192.168.0.2 dst=6.7.8.9 sport=8180 dport=1080

Whether to use: use=1

And the IP packets sent back from 192.168.0.2, the source port is 8180, the destination address is 6.7 8.9, the destination port is 1080, and the TCP/IP stack of the host 1.2.3.4 receives it. The connection from the core Lookup connection tracking table returns whether there is a match for the same source and destination address and port in the column, and when found, the IP packet's source address is 1.2.3.4 from 192.168.0.2, and the source port from 8180 should be 81, Keep the destination port number 1080 unchanged. This allows the server's return package to correctly return the client initiating the connection, and the communication begins.

Also, in the filter table, you should allow 8180 ports from the eth0 to connect 192.168.0.2 addresses:

Iptables-a input-d 192.168.0.2-p tcp-m tcp--dport 8180-i eth0-j ACCEPT

Detailed steps for Linux port mapping

A lot of search on the Internet, the Linux configuration port mapping is not detailed enough, I RedHat8.0 on the iptables configured with the port mapping, detailed configuration process for your reference.

"Implementation Features"

PC A is

Eth0 172.18.10.212 Intranet

Eth1 219.239.xx.xx outside the net

PC B is 172.18.10.205 intranet

A's 8080 port maps to B's 80 port

Steps

1, should first do is the/etc/sysctl.conf configuration file Net.ipv4.ip_forward = 1 default is 0

This allows Iptalbes FORWARD.

2, in the/ETC/RC.D/INIT.D directory has iptables files, the use of the following format

Usage:./iptables {Start|stop|restart|condrestart|status|panic|save}

Quite with service Iptables {...}

Stop the Iptables service, clear the previous rules, save the disk

To the/ETC/RC.D/INIT.D directory, run the

./iptables Stop

Iptalbes-f

Iptalbes-x

Iptalbes-z

./iptables Save

3. Reconfigure rules

Iptables-t nat-a prerouting-d 219.239.xx.xx-p tcp--dport 8080-j dnat--to-destination 172.18.10.205:80

Iptables-t nat-a postrouting-d 172.18.10.205-p tcp--dport 80-j SNAT--to 172.18.10.212

Iptables-a forward-o eth0-d 172.18.10.205-p tcp--dport 80-j ACCEPT

Iptables-a forward-i eth0-s 172.18.10.205-p tcp--sport 80-j ACCEPT

Dnat SNAT Please refer to the help, here no longer stated.

4. New rules for filing

./iptables Save

After the rule is saved, in/etc/sysconfig/iptables this file, if you are familiar with this file

Directly modifying this content is also equivalent to command-line input rules.

5. Start Iptables Service

./iptables Start

In the/proc/net/ip_conntrack file there is a flow of packets, as follows

TCP 6 time_wait src=221.122.59.2 dst=219.239.xx.xx sport=7958 dport=8080 packets=9 bytes=1753

src=172.18.10.205 dst=172.18.10.212 sport=80 dport=7958 packets=9 bytes=5777 [assured] use=1

Summary: About Linux port mapping knowledge, for the use of some files, memory, or the use of communication is a great help! This knowledge of Linux systems is also an important part of it!

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.