如果遠程服務器上正在運行的sshd,那麼就有可能通過ssh來“隧道連通”某些服務。這個功能也許很有用,例如可對POP或者SMTP連接進行加密,即使該軟件不直接支持加密通信。隧道是使用端口轉發來創建客戶端和服務器之間的連接。 客戶端軟件必須能夠指定一個非標准的端口來連接,才能令其正常工作。
-L option, which allow the user to forward connections from local to remote
-R option, which allow the user to forward connections from remote to local
-D option, which permits dynamic port forwarding
-f option, which instructs ssh to put itself in the background after authentication.
-g option, which permits other hosts to use port forwards
─────────────────────────────────
使用語法和基本范例:
─────────────────────────────────
語法格式:[ -D | -L | -R ]
[ 幫定地址: ] 轉發端口 [ : 主機 : 主機端口 ]
[ bind_address: ] port [ : host : hostport ]
-D [bind_address:]port 動態正向代理轉發
-L [bind_address:]port:host:hostport 本地正向轉發
-R [bind_address:]port:host:hostport 遠端反向轉發
注意: 請指定大於1024的監聽端口,在Linux系統只有root才有權限指定小於1024的端口。
其他常用參數:
-f Requests ssh to go to background just before command execution.
-g Allows remote hosts to connect to local forwarded ports.
-N Do not execute a remote command. 轉發端口專用參數(protocol version 2 only).
簡單用例:
建立連線到遠端server,並正向轉發本地的8080端口到遠端主機的localhost的80端口:
# ssh jason@server -N -g -L 8080:localhost:80;#連接之後在前端運行;
# ssh jason@server -N -g -L 8080:localhost:80 -f;#連接之後轉入後端運行;
建立連線到遠端server,並反向轉發遠端的8080端口到本地主機(localhost)的80端口:
# ssh jason@server -N -g -R 8080:localhost:80;#連接之後在前端運行;
# ssh jason@server -N -g -R 8080:localhost:80 -f;#連接之後轉入後端運行;
主機[host]其實可以是任何地址,只要主機能連接到該host及其hostport即可,例如:
# ssh jason@server -N -g -R 8080:www.google.com:80
# ssh jason@server -N -g -R 8080:www.yahoo.com:80
以上范例使用80端口是為了方便測試,請訪問相應主機的轉發監聽端口進行測試:
http://localhost:8080/# 這是正向轉發范例的測試;
http://server:8080/# 這是反向轉發范例的測試;
如下是一個動態代理轉發的使用例子:
# ssh -g -D 8888 root@server;
然後可在浏覽器裡(如firefox)設置使用此socks5代理:127.0.0.1:8888
注:動態代理轉發屬於正向轉發,默認監聽本地的所有綁定地址,也可自行指定地址。
──────────────────────────────────────────────────────────────────────────────
ssh -D 動態正向代理轉發(Local->Remote)
──────────────────────────────────────────────────────────────────────────────
_______ ________
| | ssh | |
| Local | ====================================> | Remote |
| Host | hostport -----------------> | Server |
|_______| 8888 (secure channel) |________|
通過ssh連線到遠端主機: -D [bind_address:]port
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by
allocating a socket to listen to port on the local side, optionally bound to
the specified bind_address. Whenever a connection is made to this port, the
connection is forwarded over the secure channel, and the application protocol
is then used to determine where to connect to from the remote machine. Cur‐
rently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a
SOCKS server. Only root can forward privileged ports. Dynamic port forward‐
ings can also be specified in the configuration file.
IPv6 addresses can be specified by enclosing the address in square brackets.
Only the superuser can forward privileged ports. By default, the local port is
bound in accordance with the GatewayPorts setting. However, an explicit
bind_address may be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be bound for
local use only, while an empty address or ‘*’ indicates that the port should be
available from all interfaces.
如下是一個動態代理轉發的操作范例:
L: 127.0.0.1/192.168.56.1
R: 192.168.56.101
L# ssh -g -D 8888 [email protected];
# netstat -nlt | grep 8888;
------------------------------------------------------------------------------
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN
------------------------------------------------------------------------------
然後,您就可以在您的浏覽器裡(如firefox)設置使用這個socks5代理了,使用設置為:
127.0.0.1:8888
注:動態代理轉發也屬於正向轉發,而且默認監聽本地的所有綁定地址,也可自行指定地址。