Use SSH port forwarding to make full use of SSH to create a secure network channel and traverse the Firewall

The general content is as follows:

 

Local port forward -- create a port locally and use SSH for forwarding

 

Ssh-l 8888: localhost: 8888 username @ codemonkey1

 

This command is executed on the client machine.

 

We need to access port 8888 of codemonkey1, which runs on a web application, but this application only allows access from localhost (for security reasons). Now we are outside China, to access this webpage, we can use SSH (the SSH server on this machine is open) because it cannot be accessed directly ).

 

Therefore, the command is interpreted as follows: first create a port 8888 on the local machine, and then, the data trying to connect to port 8888 on the local machine will be encapsulated into the SSH protocol format, the data is then transmitted to the SSH port of the codemonkey1 machine, and then the data is unlocked and becomes the port 8888 accessing the codemonkey1 machine. After this command is run, open the browser and access http: // localhost: 8888 to view the webpage on port 8888 on codemonkey1.

 

The first 8888 indicates creating a port 8888 on the local machine (client), and the second parameter localhost indicates the hostname of the machine (server) to be accessed, the third parameter is the port for accessing the machine. Therefore, the second parameter localhost is connected to the third parameter 8888, which is similar to accessing localhost: 8888 when a person is sitting in front of codemonkey1.

 

Remote port forward -- create a port on a remote machine and use SSH for forwarding

 

Ssh-r 5900: localhost: 5900 friend@fedora1.mydomain.com

 

This command must be executed on the server (on a remote machine ). Fedora1.mydomain.com is the host name of the client machine.

 

The background is as follows: our machine is fedora1.mydomain.com. We have a friend who needs us to remotely assist him (Port 5900 is the port listened by vino remote desktop service), but our friend's machine, we cannot access it (neither vino nor SSH can directly access it !), Fortunately, our friend can access our machine via SSH, namely fedora1.mydomain.com.

 

So, let our friend execute the above command on his machine. This effect: After this command is executed, our friend's machine sends an SSH request, connect to our machine fedora1.mydomain.com, create a listener on port 5900 of our machine, and bind the listening port to the port 5900 of our machine. Because this connection was initiated by our friends, it can pass through the firewall.

 

Now, we can run the vncviewer localhost command to view the desktop of our friend! Because of this, the vncviewer localhost command will try to connect to the local port 5900, but this port was just bound by our friend to port 5900 of his own machine, so, we can see the desktop on his machine.

 

Among the three parameters, the first parameter 5900 indicates the port number to be listened on fedora1.mydomain.com; the second and third parameters indicate the port 5900 of fedora1.mydomain.com to be bound to which host

 

Someone else's reply mentioned in the article that SSH can be used as a SOCKS proxy server. For example:

 

SSH aaa.domain.com-D 8080

 

First, we must ensure that we can SSH the aaa.domain.com machine. After the machine is mounted, the SSH program on port 8080 is listening. Socks proxy is a proxy protocol that ignores applications and protocols. Socks proxy is the proxy of the underlying circuit layer and only supports rigid data forwarding. Therefore, Socks proxy has higher performance and wider applicability. Now, if we want to view the webpage, open IE and configure the socks proxy in IE as localhost: 8080. In this way, all requests sent from IE will go to port 8080 of the local machine, it is received by SSH and then sent to aaa.domain.com In the SSH format. Then, aaa.domain.com continues to send an HTTP request, retrieve the webpage, and finally send it back to our machine.

 

Likewise, FTP can do the same.

 

With the socks proxy, SSH is too powerful. The only drawback is that the application itself must support socks proxy configuration.

 

After understanding this principle, you can do this on Windows. On Windows, the SSH Secure Shell client we installed has a tunnel configuration. Adding outgoing tunnel in it is equivalent to configuring a local port forwarding and an incoming tunnel, A remote port forwarding is configured. After the configuration is complete, log on to a host and the port forward for the host takes effect.

 

However, the SSH Secure Shell client does not support the SOCKS Server, that is, it does not support the ssh-D option. I checked that only Putty is supported. Therefore, Putty will be used later. Putty's only inconvenience is that it is not convenient to use SFTP to upload and download files. If there is no GUI, use commands.