如果远程服务器上正在运行的sshd,那么就有可能通过ssh来“隧道连通”某些服务。这个功能也许很有用,例如可对POP或者SMTP连接进行加密,即使该软件不直接支持加密通信。隧道是使用端口转发来创建客户端和服务器之间的连接。客户端软件必须能够指定一个非标准的端口来连接,才能令其正常工作。
-L option, which allow the user to forward connections from local to remote
-R option, which allow the user to forward connections from remote to local
-D option, which permits dynamic port forwarding
-f option, which instructs ssh to put itself in the background after authentication.
-g option, which permits other hosts to use port forwards
使用语法和基本范例:
语法格式:[ -D | -L | -R ]
[ 帮定地址: ] 转发端口 [ : 主机 : 主机端口 ]
[ bind_address: ] port [ : host : hostport ]
-D [bind_address:]port 动态正向代理转发
-L [bind_address:]port:host:hostport 本地正向转发
-R [bind_address:]port:host:hostport 远端反向转发
注意: 请指定大于1024的监听端口,在Linux系统只有root才有权限指定小于1024的端口。
其他常用参数:
-f Requests ssh to go to background just before command execution.
-g Allows remote hosts to connect to local forwarded ports.
-N Do not execute a remote command. 转发端口专用参数(protocol version 2 only).
简单用例:
建立连线到远端server,并正向转发本地的8080端口到远端主机的localhost的80端口:
# ssh jason@server -N -g -L 8080:localhost:80;#连接之后在前端运行;
# ssh jason@server -N -g -L 8080:localhost:80 -f;#连接之后转入后端运行;
建立连线到远端server,并反向转发远端的8080端口到本地主机(localhost)的80端口:
# ssh jason@server -N -g -R 8080:localhost:80;#连接之后在前端运行;
# ssh jason@server -N -g -R 8080:localhost:80 -f;#连接之后转入后端运行;
主机[host]其实可以是任何地址,只要主机能连接到该host及其hostport即可,例如:
# ssh jason@server -N -g -R 8080:www.google.com:80
# ssh jason@server -N -g -R 8080:www.yahoo.com:80
以上范例使用80端口是为了方便测试,请访问相应主机的转发监听端口进行测试:
http://localhost:8080/# 这是正向转发范例的测试;
http://server:8080/# 这是反向转发范例的测试;
如下是一个动态代理转发的使用例子:
# ssh -g -D 8888 root@server;
然后可在浏览器里(如firefox)设置使用此socks5代理:127.0.0.1:8888
注:动态代理转发属于正向转发,默认监听本地的所有绑定地址,也可自行指定地址。
ssh -D 动态正向代理转发(Local->Remote)
_______ ________
| | ssh | |
| Local | ====================================> | Remote |
| Host | hostport -----------------> | Server |
|_______| 8888 (secure channel) |________|
通过ssh连线到远端主机:
-D [bind_address:]port
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by
allocating a socket to listen to port on the local side, optionally bound to
the specified bind_address. Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application protocol
is then used to determine where to connect to from the remote machine. Cur‐
rently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a
SOCKS server. Only root can forward privileged ports. Dynamic port forward‐
ings can also be specified in the configuration file.
IPv6 addresses can be specified by enclosing the address in square brackets.
Only the superuser can forward privileged ports. By default, the local port is
bound in accordance with the GatewayPorts setting. However, an explicit
bind_address may be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be bound for
local use only, while an empty address or ‘*’ indicates that the port should be
available from all interfaces.
如下是一个动态代理转发的操作范例:
L: 127.0.0.1/192.168.56.1
R: 192.168.56.101
L# ssh -g -D 8888 root@192.168.56.101;
# netstat -nlt | grep 8888;
------------------------------------------------------------------------------
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN
------------------------------------------------------------------------------
然后,您就可以在您的浏览器里(如firefox)设置使用这个socks5代理了,使用设置为:
127.0.0.1:8888
注:动态代理转发也属于正向转发,而且默认监听本地的所有绑定地址,也可自行指定地址。