本帖最后由 sailyang 于 2020-10-9 16:18 编辑
假设现在有两台服务器client1,client2,他们直接不能直接相互通信,但是他们均能连接上第三台服务器fuyang2,我们可以在client1,client2和fuyang2三台机器之间建立ssh隧道来让client1和client2实现通信。
ssh端口转发有三种实现方式:本地转发,远程转发,和动态转发。
一. 准备工作
实现目标: fuyang能访问fuyang2但不能直接访问new2,fuyang2可以访问new2;fuyang通过fuyang2做端口转发可以间接访问new2。
1.1 服务器IP:
服务器fuyang: 218.22.116.206
服务器new2: 218.22.116.205
服务器fuyang2: 218.22.116.210
1.2 服务器间通信
服务器fuyang:
复制代码 #可访问new2 [root@fuyang ~]# telnet 218.22.116.205 22 Trying 218.22.116.205... Connected to 218.22.116.205. Escape character is '^]'. SSH-2.0-OpenSSH_7.4
#可访问fuyang2 [root@fuyang ~]# telnet 218.22.116.210 22 Trying 218.22.116.210... Connected to 218.22.116.210. Escape character is '^]'. SSH-2.0-OpenSSH_7.4 复制代码 服务器fuyang2:
#可访问new2 [root@fuyang2 ~]# telnet 218.22.116.206 22 Trying 218.22.116.206... Connected to 218.22.116.206. Escape character is '^]'. SSH-2.0-OpenSSH_7.4 现在上new2防火墙添加禁止fuyang访问并重启firewalld服务:
[root@new2 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="218.22.116.206" drop' success [root@new2 ~]# firewall-cmd --reload success 登陆fuyang服务器执行命令: telnet 218.22.116.205 22 ,结果无响应,说明防火墙禁止访问设置成功。
目前fuyang无法直连new2,可连接fuyang2,fuyang2可连接new2.
二. 配置端口转发
2.1 本地转发
命令:-L localport:remotehost:remotehostport sshserver
说明:localport 本机开启的端口号
remotehost 最终连接机器的IP地址
remotehostport 转发机器的端口号
sshserver 转发机器的IP地址
复制代码 # -L fuyang-Server-Ip:new2-Server-Ip:new2-Server-Port fuyang2-Server-User@fuyang2-Server-Ip root@218.22.116.210's password: Last failed login: Thu Oct 8 19:29:00 CST 2020 from 61.135.223.109 on ssh:notty There were 8 failed login attempts since the last successful login. Last login: Thu Oct 8 19:26:38 2020 from 218.22.116.206 [root@fuyang2 ~]# 复制代码 新开窗口打开fuyang服务器:
复制代码 The authenticity of host '[127.0.0.1]:9001 ([127.0.0.1]:9001)' can't be established. ECDSA key fingerprint is SHA256:huOuuKbfM9TN6+rpCMjB2Hk0HI4GSF1WCj7gIVyu48I. ECDSA key fingerprint is MD5:0f:55:88:04:62:82:fc:8b:6a:f5:9e:5c:56:e1:0b:cc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[127.0.0.1]:9001' (ECDSA) to the list of known hosts. root@127.0.0.1's password: Last failed login: Thu Oct 8 19:29:28 CST 2020 from 213.154.70.102 on ssh:notty There were 832 failed login attempts since the last successful login. Last login: Thu Oct 8 18:41:46 2020 from 218.22.116.206 [root@new2 ~]# 复制代码 上面可见后面新开窗口通过访问9001端口可以连接上new2服务器。
2.2 远程转发
命令:-R sshserverport:remotehost:remotehostport sshserver
说明:sshserverport 被转发机器开启的端口号
remotehost 最终连接机器的IP地址
remotehostport 被转发机器的端口号
sshserver 被转发机器的IP地址
#fuyang2服务器上开启端口转发服务 # -R fuyang-Server-Port:new2-Server-Ip:new2-Server-Port -fN fuyang-Server-Ip [root@fuyang2 ~]# ssh -R 9100:218.22.116.205:22 -fN 218.22.116.206 root@218.22.116.206's password: [root@fuyang2 ~]# 复制代码 #fuyang服务器上查看fuyang2端口转发开启的9100端口 [root@fuyang ~]# ss -ntl State Recv-Q Send-Q Local Address  ort Peer Address ort LISTEN 0 128 *:27017 *:* LISTEN 0 511 *:6379 *:* LISTEN 0 128 *:9100 *:* LISTEN 0 128 *:111 *:* LISTEN 0 128 *:4369 *:* LISTEN 0 128 *:22 *:* LISTEN 0 80 :::3306 :::* LISTEN 0 511 :::6379 :::* LISTEN 0 128 :::111 :::* LISTEN 0 128 :::4369 :::* #连接9100端口,确认可以连接上new2服务器 The authenticity of host '[127.0.0.1]:9100 ([127.0.0.1]:9100)' can't be established. ECDSA key fingerprint is SHA256:huOuuKbfM9TN6+rpCMjB2Hk0HI4GSF1WCj7gIVyu48I. ECDSA key fingerprint is MD5:0f:55:88:04:62:82:fc:8b:6a:f5:9e:5c:56:e1:0b:cc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[127.0.0.1]:9100' (ECDSA) to the list of known hosts. root@127.0.0.1's password: Last failed login: Fri Oct 9 11:28:02 CST 2020 from 61.7.235.211 on ssh:notty There were 3 failed login attempts since the last successful login. Last login: Fri Oct 9 11:26:16 2020 from 117.136.79.20 [root@new2 ~]# 复制代码 远程转发就是做了一层请求代理服务,将指定客户端IP和客户端端口的请求转发到指定第三方服务器IP和端口。
2.3动态转发 命令:-D localhost:localport -fN sshserver
复制代码 #fuyang服务器上关掉所有ssh连接 [root@fuyang ~]# killall ssh [root@fuyang ~]# ssh -D 9200 -fN 218.22.116.210 root@218.22.116.210's password: hello~ | 
楼主
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
发表于 2020-10-24 20:42
技术研究员1级