SSH端口转发的简要介绍-A short guide to SSH prot forwarding(2)

最新推荐文章于 2024-10-31 10:54:35 发布
翻译 最新推荐文章于 2024-10-31 10:54:35 发布 · 1.3k 阅读 · 0

本文详细解析了SSH端口转发的概念、工作原理及其在不同场景下的应用,包括客户端到服务器(C2S)和服务器到客户端(S2C)的端口转发规则,强调了端口转发在保护敏感数据免受网络攻击、建立虚拟私有网络等方面的重要作用。通过实例展示了如何在实际环境中部署SSH端口转发以增强数据安全性。

      现在来看最令人困惑的部分:目的主机的地址。理解这一点非常重要:在一个client to server端口转发规则中,目标主机地址是相对于SSH服务端的,而不是客户端。这是SSH服务端在一个连接需要被转发时将要连接的地址。这种场景下,目标主机地址被设置成127.0.0.1,从而让SSH服务端连接到运行于相同机器上的应用服务端。

      最后,目的端口指定了当前场景中目标TCP/IP服务器正在被监听的所在端口,123.

      上述例子中所展示的端口转发配置是严格的:它通过限制SSH客户端位于相同机器作为应用客户端,而SSH服务端位于相同机器作为应用服务端,从而最小化了非加密数据的暴露。

       另一方面,如果你已经注意到SSH客户端和SSH服务端之间的,不要介意本地子网中的非加密数据,你可能配置你的SSH端口转发规则如下:

---------------图2

 这与如下的SSH客户端中的C2S端口转发规则一致:

监听接口:0.0.0.0(这会打开SSH客户端的转发socket,到来自于其他机器的连接)

监听端口:123

目的主机:10.2.2.9(目标应用客户端不是同一台机器来作为SSH服务端,所以我们需要从SSH服务端进入它的地址可见)

目的端口:123

        按照这样启动,你只需要一个SSH客户端去转发多个应用客户端的连接;因为SSH客户端的监听地址被配置成了0.0.0.0,应用客户端不需要位于同一台机器。使用恰当配置的端口转发规则,你可以使用相同的SSH会话去转发连接给多个应用服务端,而这些服务端可以部署到不同于SSH服务端的机器上。

        虽然我们的上面的例子只讨论了c2s端口转发规则,s2c的端口转发规则是完全对称的。只是角色是相反的:在s2c转发中,监听地址是相对于SSH服务端,而目的主机地址是相对于SSH客户端。

        一个常见的错误是给一个相同的转发连接定义一个C2S和一个S2C规则。这是不必要的也不会起作用。S2C规则只有在你正在转发其他建立在从服务端到客户端方向上的连接时才需要。这样的连接通常是与那些建立自客户端到服务端的连接时独立不相关的。对每一条连接来说只需要一种规则。

 

摘自:https://www.bitvise.com/port-forwarding

 

 

A short guide to SSH port forwarding

SSH port forwarding, or TCP/IP connection tunneling, is a process whereby a TCP/IP connection that would otherwise be insecure is tunneled through a secure SSH link, thus protecting the tunneled connection from network attacks. Port forwarding can be used to establish a form of a virtual private network (VPN).

To illustrate how port forwarding works, let us use an example. Suppose you are the network administrator in a company that has two buildings. In Building #1, there are numerous workstations residing in the subnet 10.1.1.*. In Building #2, there are multiple servers residing in the subnet 10.2.2.*. The two buildings are separated by a busy street with parking spaces on each side, and the subnets in the two buildings are linked wirelessly through an antenna on the roof of each building. The workstations in Building #1 are running a legacy client application that uses an unencrypted TCP/IP session to communicate sensitive data with the servers in Building #2.

One day, someone in your company notices that an unmarked black van has remained parked on the street between the two buildings for several days. As your CEO realizes that sensitive data is being transmitted unencrypted between the two buildings, he becomes worried that the van parked outside might be collecting the company's confidential information. He orders you to solve the problem ASAP.

What you do is this:

On each of the client workstations in Building #1 (in the above example, workstation 10.1.1.7 is shown), you install an SSH client. On the machine in Building #2 that runs the server for your legacy application, you install an SSH server. You configure the SSH client with the following client-to-server port forwarding rule: for each connection that comes on interface 127.0.0.1 and port 999, forward that connection to the SSH server, and request the SSH server to forward that connection to host 127.0.0.1 (relative to the server), port 123.

Now, your application client doesn't connect to the server directly anymore. Rather, it connects to the SSH client, which encrypts all data before transmission. The SSH client forwards the encrypted data to the SSH server, which decrypts it and forwards it to your application server. Data sent by the server application is similarly encrypted by the SSH server and forwarded back to the client.

Previously, the data that was being radioed between the two buildings was sent in plaintext and could be captured by anyone parking on the street below. Now, the data is encrypted using the SSH protocol, and is virtually impossible to decipher. The next day after installing SSH, you observe that the black unmarked van is gone.

Now, let us comment on the above example. It corresponds with the following C2S (client-to-server) port forwarding rule in the SSH client:

  • Listen interface: 127.0.0.1 (this ensures that only connections from the local client machine, or loopback connections, are accepted for forwarding)
  • Listen port: 999
  • Destination host: 127.0.0.1 (important: the target address is relative to the server, not the client, so 127.0.0.1 will work fine if the target application server is listening on all interfaces - 0.0.0.0)
  • Destination port: 123

Note that the listening interface configured on the SSH client is 127.0.0.1. By configuring the listening interface, you tell the SSH client what kinds of connections it will accept. If you configure the listening interface to 127.0.0.1, the SSH client will only accept connections originating on the same machine. If you configure the listening interface to equal the IP address of one of the network cards on the machine, the SSH client will accept only those connections that arrive through that network card. If you configure the listening address to 0.0.0.0, the SSH client will accept connections regardless of their origin.

Next, you will note that the listening port has been set to 999. The listening port could be set to any figure between 1 and 65535 that is not already occupied by another application listening for connections on the same machine. In this case, the SSH client listening port has been set to 999, but it could just as well have been set to 123, the same port at which the application server is listening.

Now comes the most confusing part: the address of the destination host. It is important to understand that, in a client-to-server port forwarding rule, the target host address is relative to the SSH server, not the client. This is the address that the SSH server will connect to when a connection needs to be forwarded. In this case, the target host address is set to 127.0.0.1 to have the SSH server connect to the application server which is running on the same machine.

Finally, the destination port specifies the port on which the target TCP/IP server is listening - in this case, 123.

The port forwarding configuration shown in the above example is strict: it minimizes the exposure of unencrypted data by constraining the SSH client to reside on the same machine as the application client, and the SSH server to reside on the same machine as the application server.

On the other hand, if you are only concerned about eavesdropping between the SSH client and the server, and do not mind unencrypted data in the local subnets, you might configure your SSH port forwarding rules like this:

This corresponds with the following C2S (client-to-server) port forwarding rule in the SSH client:

  • Listen interface: 0.0.0.0 (this opens up the SSH client's forwarding socket to connections from other machines)
  • Listen port: 123
  • Destination host: 10.2.2.9 (the target application server is not on the same machine as the SSH server, so we need to enter its address as visible from the SSH server)
  • Destination port: 123

With this setup, you only need one SSH client to forward the connections of multiple application clients; since the SSH client's listening address is configured to 0.0.0.0, the application clients do not need to reside on the same machine. With appropriately configured port forwarding rules, you can use the same SSH session to forward connections to multiple application servers, which can reside on machines different from the SSH server.

Even though our examples above only discuss client-to-server port forwarding rules, the concept of server-to-client port forwarding is entirely symmetric. Only the roles are reversed: with S2C forwarding, the listening address is relative to the SSH server, and the destination host address is relative to the SSH client.

It is a common mistake to define both a C2S as well as an S2C rule for the same forwarded connection. This is not necessary and will not work. S2C rules are required only if you are forwarding other connections which are established in the direction from the server to the client. Such connections are normally independent from, and unrelated to, those established from client to server. Only one type of rule is necessary for each connection.

 

chinaclock
关注
Bitvise SSH Client 的 S2C(正向隧道Client-to-Server) 功能如何使用
weixin_50182204的博客
01-31 2177
BvSsh ; C2S ; 隧道 ;端口转发
SSH端口转发
纤手小白
09-08 1万+
端口转发概述: 让我们先来了解一下端口转发的概念吧。我们知道,SSH 会自动加密和解密所有 SSH 客户端与服务端之间的网络数据。但是,SSH 还同时提供了一个非常有用的功能,这就是端口转发。它能够将其他 TCP 端口的网络数据通过 SSH 链接来转发,并且自动提供了相应的加密及解密服务。这一过程有时也被叫做“隧道”(tunneling),这是因为 SSH 为其他 TCP 链接提供了一个安全的通...
Bitvise SSH Client 8.44[2020-10-09]
10-09
Bitvise SSH Client是款window上不错的免费的ssh客户端,支持SFTP, tunneling, terminal, FTP­to­SFTP bridge。除了支持比较重要的动态端口转发外,还支持多帐号登录、图形界面的SFTP、远程桌面等。 Bitvise SSH Client最新版是一款十分专业的端口转发工具,Bitvise SSH Client最新版支持socks4、socks4 a、socks5 和 http 连接代理隧道协议/支持pem证书,可以帮助大家轻松快捷的对本地文件和远端文件进行管理,并且Bitvise SSH Client最新版操作起来也很简单
SSH的三种端口转发(Port forwarding)/ 隧道协议概要
热门推荐
javon_hzw的专栏
08-18 1万+
关于ssh转发,这篇算写得比较易懂的。考虑后续会基于这篇文章,给出原理性分析和图表,应该会更利于理解 转自:https://blog.twofei.com/528/ 用SSH有一段时间了,自认为对ssh的操作还是有一定的了解。而今天我要介绍的是ssh的三种端口转发(隧道协议、Tunnel、Port forwarding)功能的使用与它们的使用场合。 为什么要用ssh端口转发功能
通过 ssh port-forward,ssh 中继的方式设置vscode进行嵌入式linux arm远程gdb调试
weixin_43398250的博客
09-30 711
通过 ssh port-forward,ssh 中继的方式设置vscode进行嵌入式linux arm远程gdb调试, gdb ssh arm linux vscode
ssh port forwarding
bbplayers的专栏
09-30 3669
SSH: Port Forwarding 1.正向隧道-隧道监听本地port,为普通活动提供安全连接 ssh -qTfnN -L port:host:hostport -l user remote_ip 2.反向隧道----隧道监听远程port,突破防火墙提供服务 ssh
A practical guide to building owl ontologies using protege
07-23
一本详细介绍如何基于OWL进行Ontology建模的好书,其中也包括了如何使用Protege等建模工具的说明和教程。
cc-projeto-better-bootstrap:Protótipo前端desenvolvido durante a leitura do livro“ Bootstrap 4-Conheçaa biblioteca前端mais utilizada do mundo” de Natan Souza
04-03
cc-projeto-better-bootstrap Protótipo前端desenvolvido durante a leitura do livro“ Bootstrap 4-Conheçaa biblioteca前端mais utilizada do mundo” de Natan Souza
配置免密登录ssh: connect to host hadoop03 port 22: Connection refused可能原因
m0_68719480的博客
09-14 3958
自学,自用
(git) [git push] ssh: connect to host github.com port 22: Connection timed out fatal: Could not....
qq_41685627的博客
01-18 726
想要push出现以下问题,这里我用的是ssh协议,如果用https协议同样会报错。
Windows 内网穿透工具bitvise-client-8.35.rar
09-16
Windows 内网穿透工具bitvise-client-8.35.rar,win7和win10都能用,用于开启SSH服务
Bitvise SSH Client
06-08
Bitvise SSH Client 这款软件可以很方便的访问远程桌面或者服务器。由于国内网络的原因,这款软件的官网被墙掉导致难以下载,但是还是难以阻挡学习的热情,特意下载了以后供大家学习使用。
BvSshClient-Inst官网最新版
09-27
BvSshClient 专用于 windows连接linux 无乱玛 很好用的喔 , 支持窗口化视图查看目录, Bitvise SSH Client具可配合谷歌或者火狐浏览器插件探索外边的世界。
在使用 bitvise SSH client时,进行隧道S2C端口映射时,远程主机外网不能访问问题。
蓝翔顶级电脑技工
04-20 5931
后经过google一番,修改 /etc/ssh/sshd_configGatewayPorts yes重启一起sshd服务即可。 service sshd restart
利用Bitvise SSH Client设置二级代理
qq_36494655的博客
09-26 4927
浏览器设置代理很多时候需要我们自己设置浏览器代理上网,也就是说就是通过代理服务器上网,那我简单说下使用浏览器设置代理,以搜狗为例。首先找到设置代理的位置 工具->代理设置->添加新代理,然后就是输入代理名字,这个名字无所谓的,填写代理IP以及端口,一般不需要登录,最后保存关闭,上网就ok了。(有点废话,就当是给自己复习了) 二级代理不知道自己是不是理解错“二级”了,反正就是两次代理,姑且就说是二级吧
bitvise ssh client 连接linux,secureCRT + Bitvise SSH Client实现ssh隧道远程
weixin_28779183的博客
05-14 1847
secureCRT + Bitvise SSH Client实现ssh隧道远程1、实验环境server1,模拟可以通过互联网访问的服务器ip1:192.168.112.100 使用vmware的nat网络,模拟有公网ip的服务器ip2:10.0.0.1 使用vmware的custom网络,模拟服务器的内网,无法通过公网访问。server2,模拟无公网ip的服务器ip1:10.0.0.2,使用vmw...
SSH端口转发简要介绍-A short guide to SSH prot forwarding(1)
chinaclock的专栏
09-09 671
SSH端口转发,或者TCP/IP隧道连接,是一个处理过程,在该过程中,一个并不安全的TCP/IP连接将通过一个安全的SSH链接的构建的隧道,因此可以保护隧道中的连接遭受网络攻击。端口转发可以用来作为一个VPN(虚拟私有网络)的一种形式。        为了解释端口转发时如何工作的,让我们来举一个例子。假设你是一家拥有两栋大楼的公司的网络管理员。在#1栋大楼,有若干工作站位于子网10.1.1.*地
【免费下载】 Bitvise SSH Client 工具介绍
gitblog_06505的博客
10-31 1236
Bitvise SSH Client 工具介绍 【下载地址】BitviseSSHClient工具介绍分享 Bitvise SSH Client 工具介绍Bitvise SSH Client 是一款功能强大的 SSH 客户端软件,专为 Windows 操作系统设计 ...
MobaXterm的SOCKS代理连接与bitvise client 软件的C2S与S2C连接
weixin_30840253的博客
01-29 1718
1.MobaXterm的SOCKS代理连接的一种使用场景 远程两台Linux服务器,外网服务器和内网服务器,外网服务器有内外网ip,内网服务器不提供外网ip 外网服务器外网ip为100.100.100.100 ,内网服务器内网ip192.168.100.10 此时使用本地的MobaXterm软件远程连接两台服务器,外网服务器可以很方便连接,内网服务器只能通过登录到外网服务器然后跳转,运维不方...
开放ssh端口2022后将默认规则都改为拒绝
最新发布
02-27
<think>嗯,用户之前问过如何在CentOS 7上开放2022端口SSH,现在他们想进一步在开放端口后把所有默认规则设为拒绝。我需要确保他们明白这样做会带来什么影响,比如默认拒绝所有流量后,必须明确允许必要的端口,否则可能导致服务不可用。 首先,用户可能是在加强服务器的安全性,遵循最小权限原则。但默认拒绝所有可能会不小心锁定自己,特别是如果他们没有其他途径访问服务器的话。所以需要提醒他们保持现有SSH连接,或者确保新端口已经正确配置并测试过。 接下来,我需要提供正确的iptables命令。默认策略设为DROP的话,顺序很重要。首先允许SSH端口,然后再修改默认策略,这样避免在设置过程中被断开。命令的顺序应该是先允许相关端口,再设置默认规则。 另外,用户之前提到使用iptables,所以需要确认他们是否已经正确从firewalld切换到iptables,之前的回答里已经提到了禁用firewalld的步骤,可能需要再次提醒,特别是如果用户没有执行的话。 还要注意保存iptables规则,否则重启后会失效。用户可能之前已经执行过保存,但这里需要再次强调,避免遗漏。另外,检查规则是否存在,确保配置正确。 可能的风险点包括:如果用户错误配置了默认策略,或者没有允许必要的端口(比如回环接口lo),可能导致服务不可用。所以需要提醒他们允许本地通信,并确保其他必要服务如HTTP/HTTPS的端口也被允许。 最后,用户可能需要测试新配置是否生效,建议他们从另一个会话测试,避免被锁在外面。如果有问题,可能需要通过控制台恢复设置,这也是为什么提醒保持现有连接的重要性。</think>以下是在CentOS 7中将iptables默认规则设置为拒绝并保持SSH 2022端口开放的完整操作流程: ```bash # 1. 清空现有规则(危险操作!必须保持当前SSH连接不中断) sudo iptables -F # 2. 设置默认策略(必须先设置INPUT再设置OUTPUT) sudo iptables -P INPUT DROP # 默认拒绝所有入站 sudo iptables -P FORWARD DROP # 默认拒绝所有转发 sudo iptables -P OUTPUT ACCEPT # 通常允许所有出站 # 3. 允许本地回环接口(必须保留) sudo iptables -A INPUT -i lo -j ACCEPT # 4. 允许已建立的连接(保持现有会话) sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # 5. 开放SSH 2022端口 sudo iptables -A INPUT -p tcp --dport 2022 -j ACCEPT # 6. 保存配置(关键步骤) sudo service iptables save # 7. 重启服务生效 sudo systemctl restart iptables # 验证命令 sudo iptables -L -v --line-numbers ``` 重要安全建议: 1. **操作前必须保持现有SSH连接不中断**,建议通过物理控制台操作 2. 若需开放其他端口(如HTTP 80/443),需在步骤5后追加: ```bash sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT ``` 3. ICMP协议处理建议: ```bash sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # 允许ping sudo iptables -A INPUT -p icmp -j DROP # 拒绝其他ICMP类型 ``` 效果验证: ```bash # 查看当前策略 $ sudo iptables -S | grep POLICY -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT # 检查SSH规则 $ sudo iptables -L INPUT -n --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2022 ```
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值