SSH端口转发的简要介绍-A short guide to SSH prot forwarding(2)

本文详细解析了SSH端口转发的概念、工作原理及其在不同场景下的应用,包括客户端到服务器(C2S)和服务器到客户端(S2C)的端口转发规则,强调了端口转发在保护敏感数据免受网络攻击、建立虚拟私有网络等方面的重要作用。通过实例展示了如何在实际环境中部署SSH端口转发以增强数据安全性。

      现在来看最令人困惑的部分:目的主机的地址。理解这一点非常重要:在一个client to server端口转发规则中,目标主机地址是相对于SSH服务端的,而不是客户端。这是SSH服务端在一个连接需要被转发时将要连接的地址。这种场景下,目标主机地址被设置成127.0.0.1,从而让SSH服务端连接到运行于相同机器上的应用服务端。

      最后,目的端口指定了当前场景中目标TCP/IP服务器正在被监听的所在端口,123.

      上述例子中所展示的端口转发配置是严格的:它通过限制SSH客户端位于相同机器作为应用客户端,而SSH服务端位于相同机器作为应用服务端,从而最小化了非加密数据的暴露。

       另一方面,如果你已经注意到SSH客户端和SSH服务端之间的,不要介意本地子网中的非加密数据,你可能配置你的SSH端口转发规则如下:

---------------图2

 这与如下的SSH客户端中的C2S端口转发规则一致:

监听接口:0.0.0.0(这会打开SSH客户端的转发socket,到来自于其他机器的连接)

监听端口:123

目的主机:10.2.2.9(目标应用客户端不是同一台机器来作为SSH服务端,所以我们需要从SSH服务端进入它的地址可见)

目的端口:123

        按照这样启动,你只需要一个SSH客户端去转发多个应用客户端的连接;因为SSH客户端的监听地址被配置成了0.0.0.0,应用客户端不需要位于同一台机器。使用恰当配置的端口转发规则,你可以使用相同的SSH会话去转发连接给多个应用服务端,而这些服务端可以部署到不同于SSH服务端的机器上。

        虽然我们的上面的例子只讨论了c2s端口转发规则,s2c的端口转发规则是完全对称的。只是角色是相反的:在s2c转发中,监听地址是相对于SSH服务端,而目的主机地址是相对于SSH客户端。

        一个常见的错误是给一个相同的转发连接定义一个C2S和一个S2C规则。这是不必要的也不会起作用。S2C规则只有在你正在转发其他建立在从服务端到客户端方向上的连接时才需要。这样的连接通常是与那些建立自客户端到服务端的连接时独立不相关的。对每一条连接来说只需要一种规则。

 

摘自:https://www.bitvise.com/port-forwarding

 

 

A short guide to SSH port forwarding

SSH port forwarding, or TCP/IP connection tunneling, is a process whereby a TCP/IP connection that would otherwise be insecure is tunneled through a secure SSH link, thus protecting the tunneled connection from network attacks. Port forwarding can be used to establish a form of a virtual private network (VPN).

To illustrate how port forwarding works, let us use an example. Suppose you are the network administrator in a company that has two buildings. In Building #1, there are numerous workstations residing in the subnet 10.1.1.*. In Building #2, there are multiple servers residing in the subnet 10.2.2.*. The two buildings are separated by a busy street with parking spaces on each side, and the subnets in the two buildings are linked wirelessly through an antenna on the roof of each building. The workstations in Building #1 are running a legacy client application that uses an unencrypted TCP/IP session to communicate sensitive data with the servers in Building #2.

One day, someone in your company notices that an unmarked black van has remained parked on the street between the two buildings for several days. As your CEO realizes that sensitive data is being transmitted unencrypted between the two buildings, he becomes worried that the van parked outside might be collecting the company's confidential information. He orders you to solve the problem ASAP.

What you do is this:

On each of the client workstations in Building #1 (in the above example, workstation 10.1.1.7 is shown), you install an SSH client. On the machine in Building #2 that runs the server for your legacy application, you install an SSH server. You configure the SSH client with the following client-to-server port forwarding rule: for each connection that comes on interface 127.0.0.1 and port 999, forward that connection to the SSH server, and request the SSH server to forward that connection to host 127.0.0.1 (relative to the server), port 123.

Now, your application client doesn't connect to the server directly anymore. Rather, it connects to the SSH client, which encrypts all data before transmission. The SSH client forwards the encrypted data to the SSH server, which decrypts it and forwards it to your application server. Data sent by the server application is similarly encrypted by the SSH server and forwarded back to the client.

Previously, the data that was being radioed between the two buildings was sent in plaintext and could be captured by anyone parking on the street below. Now, the data is encrypted using the SSH protocol, and is virtually impossible to decipher. The next day after installing SSH, you observe that the black unmarked van is gone.

Now, let us comment on the above example. It corresponds with the following C2S (client-to-server) port forwarding rule in the SSH client:

  • Listen interface: 127.0.0.1 (this ensures that only connections from the local client machine, or loopback connections, are accepted for forwarding)
  • Listen port: 999
  • Destination host: 127.0.0.1 (important: the target address is relative to the server, not the client, so 127.0.0.1 will work fine if the target application server is listening on all interfaces - 0.0.0.0)
  • Destination port: 123

Note that the listening interface configured on the SSH client is 127.0.0.1. By configuring the listening interface, you tell the SSH client what kinds of connections it will accept. If you configure the listening interface to 127.0.0.1, the SSH client will only accept connections originating on the same machine. If you configure the listening interface to equal the IP address of one of the network cards on the machine, the SSH client will accept only those connections that arrive through that network card. If you configure the listening address to 0.0.0.0, the SSH client will accept connections regardless of their origin.

Next, you will note that the listening port has been set to 999. The listening port could be set to any figure between 1 and 65535 that is not already occupied by another application listening for connections on the same machine. In this case, the SSH client listening port has been set to 999, but it could just as well have been set to 123, the same port at which the application server is listening.

Now comes the most confusing part: the address of the destination host. It is important to understand that, in a client-to-server port forwarding rule, the target host address is relative to the SSH server, not the client. This is the address that the SSH server will connect to when a connection needs to be forwarded. In this case, the target host address is set to 127.0.0.1 to have the SSH server connect to the application server which is running on the same machine.

Finally, the destination port specifies the port on which the target TCP/IP server is listening - in this case, 123.

The port forwarding configuration shown in the above example is strict: it minimizes the exposure of unencrypted data by constraining the SSH client to reside on the same machine as the application client, and the SSH server to reside on the same machine as the application server.

On the other hand, if you are only concerned about eavesdropping between the SSH client and the server, and do not mind unencrypted data in the local subnets, you might configure your SSH port forwarding rules like this:

This corresponds with the following C2S (client-to-server) port forwarding rule in the SSH client:

  • Listen interface: 0.0.0.0 (this opens up the SSH client's forwarding socket to connections from other machines)
  • Listen port: 123
  • Destination host: 10.2.2.9 (the target application server is not on the same machine as the SSH server, so we need to enter its address as visible from the SSH server)
  • Destination port: 123

With this setup, you only need one SSH client to forward the connections of multiple application clients; since the SSH client's listening address is configured to 0.0.0.0, the application clients do not need to reside on the same machine. With appropriately configured port forwarding rules, you can use the same SSH session to forward connections to multiple application servers, which can reside on machines different from the SSH server.

Even though our examples above only discuss client-to-server port forwarding rules, the concept of server-to-client port forwarding is entirely symmetric. Only the roles are reversed: with S2C forwarding, the listening address is relative to the SSH server, and the destination host address is relative to the SSH client.

It is a common mistake to define both a C2S as well as an S2C rule for the same forwarded connection. This is not necessary and will not work. S2C rules are required only if you are forwarding other connections which are established in the direction from the server to the client. Such connections are normally independent from, and unrelated to, those established from client to server. Only one type of rule is necessary for each connection.

 

<think>嗯,用户之前问过如何在CentOS 7上开放2022端口SSH,现在他们想进一步在开放端口后把所有默认规则设为拒绝。我需要确保他们明白这样做会带来什么影响,比如默认拒绝所有流量后,必须明确允许必要的端口,否则可能导致服务不可用。 首先,用户可能是在加强服务器的安全性,遵循最小权限原则。但默认拒绝所有可能会不小心锁定自己,特别是如果他们没有其他途径访问服务器的话。所以需要提醒他们保持现有SSH连接,或者确保新端口已经正确配置并测试过。 接下来,我需要提供正确的iptables命令。默认策略设为DROP的话,顺序很重要。首先允许SSH端口,然后再修改默认策略,这样避免在设置过程中被断开。命令的顺序应该是先允许相关端口,再设置默认规则。 另外,用户之前提到使用iptables,所以需要确认他们是否已经正确从firewalld切换到iptables,之前的回答里已经提到了禁用firewalld的步骤,可能需要再次提醒,特别是如果用户没有执行的话。 还要注意保存iptables规则,否则重启后会失效。用户可能之前已经执行过保存,但这里需要再次强调,避免遗漏。另外,检查规则是否存在,确保配置正确。 可能的风险点包括:如果用户错误配置了默认策略,或者没有允许必要的端口(比如回环接口lo),可能导致服务不可用。所以需要提醒他们允许本地通信,并确保其他必要服务如HTTP/HTTPS的端口也被允许。 最后,用户可能需要测试新配置是否生效,建议他们从另一个会话测试,避免被锁在外面。如果有问题,可能需要通过控制台恢复设置,这也是为什么提醒保持现有连接的重要性。</think>以下是在CentOS 7中将iptables默认规则设置为拒绝并保持SSH 2022端口开放的完整操作流程: ```bash # 1. 清空现有规则(危险操作!必须保持当前SSH连接不中断) sudo iptables -F # 2. 设置默认策略(必须先设置INPUT再设置OUTPUT) sudo iptables -P INPUT DROP # 默认拒绝所有入站 sudo iptables -P FORWARD DROP # 默认拒绝所有转发 sudo iptables -P OUTPUT ACCEPT # 通常允许所有出站 # 3. 允许本地回环接口(必须保留) sudo iptables -A INPUT -i lo -j ACCEPT # 4. 允许已建立的连接(保持现有会话) sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # 5. 开放SSH 2022端口 sudo iptables -A INPUT -p tcp --dport 2022 -j ACCEPT # 6. 保存配置(关键步骤) sudo service iptables save # 7. 重启服务生效 sudo systemctl restart iptables # 验证命令 sudo iptables -L -v --line-numbers ``` 重要安全建议: 1. **操作前必须保持现有SSH连接不中断**,建议通过物理控制台操作 2. 若需开放其他端口(如HTTP 80/443),需在步骤5后追加: ```bash sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT ``` 3. ICMP协议处理建议: ```bash sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # 允许ping sudo iptables -A INPUT -p icmp -j DROP # 拒绝其他ICMP类型 ``` 效果验证: ```bash # 查看当前策略 $ sudo iptables -S | grep POLICY -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT # 检查SSH规则 $ sudo iptables -L INPUT -n --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2022 ```
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值