ssh端口转发介绍
SSH(Secure Shell)是一种加密的网络协议,用于安全地远程登录和执行命令。除了远程登录外,SSH还具备其他功能,其中一个重要的功能就是端口转发。SSH端口转发是一种将网络流量从一个端口转发到另一个端口的机制,通过SSH通道进行安全传输。在本文中,我们将详细介绍SSH端口转发的概念、类型和用途。
0.环境准备
[root@client ~]# nmcli con add con-name static-ens4 ifname ens4 type ethernet ipv4.address 1.1.1.1/24 ipv4.method man
Connection 'static-ens4' (5511e927-ad24-4a51-b787-4d1a7c6b8783) successfully added.
[root@client ~]# nmcli con up static-ens4
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/21)
[root@client ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:03:00 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 192.168.1.15/24 brd 192.168.1.255 scope global dynamic noprefixroute ens3
valid_lft 604259sec preferred_lft 604259sec
inet6 2409:8a00:7980:4750:250:ff:fe00:300/64 scope global dynamic noprefixroute
valid_lft 258661sec preferred_lft 172261sec
inet6 fe80::250:ff:fe00:300/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:03:01 brd ff:ff:ff:ff:ff:ff
altname enp0s4
inet 1.1.1.1/24 brd 1.1.1.255 scope global noprefixroute ens4
valid_lft forever preferred_lft forever
inet6 fe80::cf12:1f46:5d3f:7471/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:03:02 brd ff:ff:ff:ff:ff:ff
altname enp0s5
inet6 fe80::250:ff:fe00:302/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:03:03 brd ff:ff:ff:ff:ff:ff
altname enp0s6
inet6 fe80::250:ff:fe00:303/64 scope link noprefixroute
valid_lft forever preferred_lft forever
#jump
[root@jump ~]# nmcli con add con-name static-ens4 ifname ens4 type ethernet ipv4.address 1.1.1.2/24 ipv4.method man
Connection 'static-ens4' (f2804511-b2e6-4443-a6f6-c00ba9bae307) successfully added.
[root@jump ~]# nmcli con add con-name static-ens5 ifname ens5 type ethernet ipv4.address 2.2.2.1/24 ipv4.method man
Connection 'static-ens5' (ef781136-9f04-4cb5-b09f-bfd1911b6cf3) successfully added.
[root@jump ~]# nmcli con up static-ens4
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/27)
[root@jump ~]# nmcli con up static-ens5
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/28)
[root@jump ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:02:00 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 192.168.1.16/24 brd 192.168.1.255 scope global dynamic noprefixroute ens3
valid_lft 604177sec preferred_lft 604177sec
inet6 2409:8a00:7980:4750:250:ff:fe00:200/64 scope global dynamic noprefixroute
valid_lft 258573sec preferred_lft 172173sec
inet6 fe80::250:ff:fe00:200/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:02:01 brd ff:ff:ff:ff:ff:ff
altname enp0s4
inet 1.1.1.2/24 brd 1.1.1.255 scope global noprefixroute ens4
valid_lft forever preferred_lft forever
inet6 fe80::dc5c:7926:96ad:32b2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:02:02 brd ff:ff:ff:ff:ff:ff
altname enp0s5
inet 2.2.2.1/24 brd 2.2.2.255 scope global noprefixroute ens5
valid_lft forever preferred_lft forever
inet6 fe80::26f5:7f4c:26ae:79db/64 scope link tentative noprefixroute
valid_lft forever preferred_lft forever
5: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:02:03 brd ff:ff:ff:ff:ff:ff
altname enp0s6
inet6 fe80::250:ff:fe00:203/64 scope link noprefixroute
valid_lft forever preferred_lft forever
#web
[root@web ~]# nmcli con add con-name static-ens4 ifname ens4 type ethernet ipv4.address 2.2.2.2/24 ipv4.method man
Connection 'static-ens4' (b69bfeee-63c2-469c-a830-0870ddf5c363) successfully added.
[root@web ~]# nmcli con up static-ens4
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/29)
[root@web ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:01:00 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 192.168.1.17/24 brd 192.168.1.255 scope global dynamic noprefixroute ens3
valid_lft 604079sec preferred_lft 604079sec
inet6 2409:8a00:7980:4750:250:ff:fe00:100/64 scope global dynamic noprefixroute
valid_lft 259117sec preferred_lft 172717sec
inet6 fe80::250:ff:fe00:100/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:01:01 brd ff:ff:ff:ff:ff:ff
altname enp0s4
inet 2.2.2.2/24 brd 2.2.2.255 scope global noprefixroute ens4
valid_lft forever preferred_lft forever
inet6 fe80::ca4f:24b6:f142:a0db/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:01:02 brd ff:ff:ff:ff:ff:ff
altname enp0s5
5: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:00:00:01:03 brd ff:ff:ff:ff:ff:ff
altname enp0s6
[root@web ~]# yum -y install nginx
[root@web ~]# echo "gby cs" > /usr/share/nginx/html/index.html
[root@web ~]# systemctl enable nginx --now
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.
[root@web ~]# systemctl stop firewalld
[root@web ~]# curl 127.0.0.1
gby cs1. 本地静态端口转发(ssh正向代理)
[root@jump ~]# ssh -L 8080:127.0.0.1:80 root@2.2.2.2
[root@jump ~]# curl 127.0.0.1:8080
gby cs
#把ssh扔到后台
[root@jump ~]# ssh -fNCL 8080:127.0.0.1:80 root@2.2.2.2
[root@jump ~]# curl 127.0.0.1:8080
gby cs2. 远程端口静态转发(ssh正向代理)
[root@client ~]# ssh -L 8080:2.2.2.2:80 root@1.1.1.2
[root@client ~]# curl 127.0.0.1:8080
gby cs
#把ssh扔到后台
[root@client ~]# ssh -fNCL 8080:2.2.2.2:80 root@1.1.1.2
[root@client ~]# curl 127.0.0.1:8080
gby cs3. 远程端口静态转发(ssh反向代理)
[root@jump ~]# ssh -R 8080:2.2.2.2:80 root@1.1.1.1
[root@client ~]# curl 127.0.0.1:8080
gby cs
#花生壳、todesk、frp原理类似
#把ssh扔到后台
[root@jump ~]# ssh -fNCR 8080:2.2.2.2:80 root@1.1.1.1
[root@client ~]# curl 127.0.0.1:8080
gby cs4. 动态端口转发(ssh sock5)
[root@client ~]# ssh -D 192.168.1.15:8080 root@1.1.1.2
但是验证的话得用sock工具。做好用crt或者其他客户端去作这个操作
##把ssh扔到后台
[root@client ~]# ssh -fNCD 192.168.1.15:8080 root@1.1.1.25. 服务启动端口转发
[root@client ~]# cat /usr/lib/systemd/system/sshd-agent.service
[Unit]
Description=OpenSSH agent
After=network.target
[Service]
Type=forking
ExecStart=/bin/sh -c '/usr/bin/ssh -fNCL 8080:2.2.2.2:80 root@1.1.1.2'
[Install]
WantedBy=multi-user.target
[root@client ~]# systemctl daemon-reload
s[root@client ~]# systemctl start sshd-agent
[root@client ~]# curl 127.0.0.1:8080
gby cs结束之有话想说
既然申请完https证书之后,就赶紧配置你的网站去吧骚年。👊