SSH Tunneling And Reverse SSH Tunnel
2013-04-22 15:57:01 
阿炯
SSH Port Forwarding
syntax:
ssh -L localport:host:hostport user@ssh_server -N
where:
-L - port forwarding parameters (see below)
localport - local port (chose a port that is not in use by other service)
host - server that has the port (hostport) that you want to forward
hostport - remote port
-N - do not execute a remote command, (you will not have the shell, see below)
user - user that have ssh access to the ssh server (computer)
ssh_server - the ssh server that will be used for forwarding/tunneling
Without the -N option you will have not only the forwardig port but also the remote shell. Try with and without it to see the difference.
Note:
1. Privileged ports (localport lower then 1024) can only be forwarded by root.
2. In the ssh line you can use multiple -L like in the example...
3. Of course, you must have ssh user access on secure_computer and moreover the secure computer must have access to host:hostport
4. Some ssh servers do not allow port forwarding (tunneling). See the sshd man pages for more about port forwarding (the AllowTcpForwarding keyword is set to NO in sshd_config file, by default is set to YES)...
Example:
ssh -L 8888:www.freeoa.net:80 user@computer -N
ssh -L 8888:www.freeoa.net:80 -L 110:mail.freeoa.net:110 25:mail.freeoa.net:25 user@computer -N
The second example (see above) show you how to setup your ssh tunnel for web, pop3and smtp. It is useful to recive/send your e-mails when you don't have direct access to the mail server.
For the ASCII art and lynx browser fans here is illustrated the first example:
+----------+<--port 22-->+----------+<--port 80-->o-----------+
|SSH Client|-------------|ssh_server|-------------| host |
+----------+ +----------+ o-----------+
localhost:8888 computer www.freeoa.net:80
...And finally:
Open your browser and go to http://localhost:8888 to see if your tunnel is working.
The SSH man pages say:
-L port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. Only root can forward privileged ports. IPv6 addresses can be specified with an alternative syntax: port/host/hostport
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
关于'Tunneling protocol'
...
Secure shell tunneling
A secure shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.
Reverse ssh tunnel
To set up an SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not have the same port number as the remote port.
SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services — so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create a SSH tunnel to forward a given port on their local machine to port 80 on a remote web-server. To access the remote web-server, users would point their browser to the local port at http://localhost/.
Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating a SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application doesn't support SOCKS, one can use a "socksifier" to redirect the application to the local SOCKS proxy server. Some "socksifiers" support SSH directly, thus avoiding the need for a SSH client.
...
关于ssh 重连机制
当已经建立好连接的ssh在一定时间内不在有流量经过时,服务器或客户端就会退出连接,这时就需要重新连接了,这会为日常的操作带来一些不便,有没有办法让连接不中断呢?本站的讲到处理这一现象的文章:SSH超时断开连接的解决办法
可为本文的内容提供一些参考,当然下面就介绍适合本文的处理方法。我们称这种机制为自动重连。
在普通用户下开启tunnel:
su comuser -c 'autossh -N -f -M 29001 -R 8081:localhost:80 remote_host' &
1、使用'autossh'工具来maintaining the tunnel
The following will create a port forwarding ssh tunnel between localhost and my.linuxbox.at.home.
When connecting to my.linuxbox.at.home:8081, the request will be sent to localhost:80. This is good for making a webpage behind a corporate firewall viewable to the outside world.
autossh -M29001 -f -R 8081:localhost:80 my.linuxbox.at.home
|______||_||_||___||________|__|__________________|
| | | | | | `---The box we are connecting to. Must be running sshd.
| | | | | |
| | | | | `--------------The port on localhost we want to access from my.linuxbox.at.home
| | | | |
| | | | `---------------------The host where the forward will go, relative
| | | | to the box initiating the tunnel; i.e., localhost
| | | | means the box where this command is run.
| | | |
| | | `----------------------------This is the port my.linuxbox.at.home listens
| | | on to forward through the tunnel
| | |
| | `--------------------------------Tells ssh to forward from the remote
| | host to the local host
| |
| `-----------------------------------Causes autossh to drop into the background before execution
`-----------------------------------------Use this monitoring port (must be above 1024 and not currently in use)
You may need to add a -N to the ssh options. You may also want to add -q.
autossh -M 29001 -q -f -N -R 8081:localhost:80 my.linuxbox.at.home
Without them, the -f option complains that it needs a command to fork and will just quit. -N says no command and -q says be quiet. Also if you would like to have a special key with no passphrase you can generate one and then use it via the -i option for ssh.
当然最好使用'key'方式来登录,输入密码的方式在这里就不怎么适用了,请参考:ssh自动登录配置
2、Using OpenSSH's built in connection monitoring
The newer versions of OpenSSH have their own method of checking if the connection is still alive. You can enable this by setting the ServerAliveInterval and ServerAliveCountMax options (either in your ssh_config file or on the command line). For example:
autossh -M 0 -q -f -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -R 8081:localhost:80 my.linuxbox.at.home
The above command will make ssh send a keep-alive request if no other data has been sent for 60 seconds, if it doesn't receive a reply after 3 attempts it will close the connection. autossh will then detect its been closed and attempt re-establish it.
The "-M 0" option disables autossh's own monitoring which uses separate ports and is less reliable.
Note: this only works with SSH protocol version 2, which is usually enabled by default anyway (because version 1 has security flaws
ssh还可以建立主机之间的网络隧道,尤其是可以提供SOCKS代理(ssh -D)。但用ssh命令建立的隧道可能会受网络的影响而中断,不能为用户提供持续的服务。
autossh正好是解决上述问题的工具:为用户提供可靠的ssh隧道服务。
autossh对ssh隧道的监控则更加有效。首先,在开始执行时,autossh首先创建ssh子进程,建立隧道。同时autossh作为父进程,随时监控ssh进程是否退出,一旦退出则立即启动新的ssh隧道。其次,autossh还会定期检查ssh隧道是否能够正确传输数据,如发现隧道无法响应,也会强制重启ssh,建立新的ssh隧道。
参考来源:http://en.wikipedia.org/wiki/Tunneling_protocol
参考来源:http://www.freeoa.net/ssh-tunnel.html
syntax:
ssh -L localport:host:hostport user@ssh_server -N
where:
-L - port forwarding parameters (see below)
localport - local port (chose a port that is not in use by other service)
host - server that has the port (hostport) that you want to forward
hostport - remote port
-N - do not execute a remote command, (you will not have the shell, see below)
user - user that have ssh access to the ssh server (computer)
ssh_server - the ssh server that will be used for forwarding/tunneling
Without the -N option you will have not only the forwardig port but also the remote shell. Try with and without it to see the difference.
Note:
1. Privileged ports (localport lower then 1024) can only be forwarded by root.
2. In the ssh line you can use multiple -L like in the example...
3. Of course, you must have ssh user access on secure_computer and moreover the secure computer must have access to host:hostport
4. Some ssh servers do not allow port forwarding (tunneling). See the sshd man pages for more about port forwarding (the AllowTcpForwarding keyword is set to NO in sshd_config file, by default is set to YES)...
Example:
ssh -L 8888:www.freeoa.net:80 user@computer -N
ssh -L 8888:www.freeoa.net:80 -L 110:mail.freeoa.net:110 25:mail.freeoa.net:25 user@computer -N
The second example (see above) show you how to setup your ssh tunnel for web, pop3and smtp. It is useful to recive/send your e-mails when you don't have direct access to the mail server.
For the ASCII art and lynx browser fans here is illustrated the first example:
+----------+<--port 22-->+----------+<--port 80-->o-----------+
|SSH Client|-------------|ssh_server|-------------| host |
+----------+ +----------+ o-----------+
localhost:8888 computer www.freeoa.net:80
...And finally:
Open your browser and go to http://localhost:8888 to see if your tunnel is working.
The SSH man pages say:
-L port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. Only root can forward privileged ports. IPv6 addresses can be specified with an alternative syntax: port/host/hostport
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
关于'Tunneling protocol'
...
Secure shell tunneling
A secure shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.
Reverse ssh tunnel
To set up an SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not have the same port number as the remote port.
SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services — so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create a SSH tunnel to forward a given port on their local machine to port 80 on a remote web-server. To access the remote web-server, users would point their browser to the local port at http://localhost/.
Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating a SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application doesn't support SOCKS, one can use a "socksifier" to redirect the application to the local SOCKS proxy server. Some "socksifiers" support SSH directly, thus avoiding the need for a SSH client.
...
关于ssh 重连机制
当已经建立好连接的ssh在一定时间内不在有流量经过时,服务器或客户端就会退出连接,这时就需要重新连接了,这会为日常的操作带来一些不便,有没有办法让连接不中断呢?本站的讲到处理这一现象的文章:SSH超时断开连接的解决办法
可为本文的内容提供一些参考,当然下面就介绍适合本文的处理方法。我们称这种机制为自动重连。
在普通用户下开启tunnel:
su comuser -c 'autossh -N -f -M 29001 -R 8081:localhost:80 remote_host' &
1、使用'autossh'工具来maintaining the tunnel
The following will create a port forwarding ssh tunnel between localhost and my.linuxbox.at.home.
When connecting to my.linuxbox.at.home:8081, the request will be sent to localhost:80. This is good for making a webpage behind a corporate firewall viewable to the outside world.
autossh -M29001 -f -R 8081:localhost:80 my.linuxbox.at.home
|______||_||_||___||________|__|__________________|
| | | | | | `---The box we are connecting to. Must be running sshd.
| | | | | |
| | | | | `--------------The port on localhost we want to access from my.linuxbox.at.home
| | | | |
| | | | `---------------------The host where the forward will go, relative
| | | | to the box initiating the tunnel; i.e., localhost
| | | | means the box where this command is run.
| | | |
| | | `----------------------------This is the port my.linuxbox.at.home listens
| | | on to forward through the tunnel
| | |
| | `--------------------------------Tells ssh to forward from the remote
| | host to the local host
| |
| `-----------------------------------Causes autossh to drop into the background before execution
`-----------------------------------------Use this monitoring port (must be above 1024 and not currently in use)
You may need to add a -N to the ssh options. You may also want to add -q.
autossh -M 29001 -q -f -N -R 8081:localhost:80 my.linuxbox.at.home
Without them, the -f option complains that it needs a command to fork and will just quit. -N says no command and -q says be quiet. Also if you would like to have a special key with no passphrase you can generate one and then use it via the -i option for ssh.
当然最好使用'key'方式来登录,输入密码的方式在这里就不怎么适用了,请参考:ssh自动登录配置
2、Using OpenSSH's built in connection monitoring
The newer versions of OpenSSH have their own method of checking if the connection is still alive. You can enable this by setting the ServerAliveInterval and ServerAliveCountMax options (either in your ssh_config file or on the command line). For example:
autossh -M 0 -q -f -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -R 8081:localhost:80 my.linuxbox.at.home
The above command will make ssh send a keep-alive request if no other data has been sent for 60 seconds, if it doesn't receive a reply after 3 attempts it will close the connection. autossh will then detect its been closed and attempt re-establish it.
The "-M 0" option disables autossh's own monitoring which uses separate ports and is less reliable.
Note: this only works with SSH protocol version 2, which is usually enabled by default anyway (because version 1 has security flaws
ssh还可以建立主机之间的网络隧道,尤其是可以提供SOCKS代理(ssh -D)。但用ssh命令建立的隧道可能会受网络的影响而中断,不能为用户提供持续的服务。
autossh正好是解决上述问题的工具:为用户提供可靠的ssh隧道服务。
autossh对ssh隧道的监控则更加有效。首先,在开始执行时,autossh首先创建ssh子进程,建立隧道。同时autossh作为父进程,随时监控ssh进程是否退出,一旦退出则立即启动新的ssh隧道。其次,autossh还会定期检查ssh隧道是否能够正确传输数据,如发现隧道无法响应,也会强制重启ssh,建立新的ssh隧道。
参考来源:http://en.wikipedia.org/wiki/Tunneling_protocol
参考来源:http://www.freeoa.net/ssh-tunnel.html