11  

Another way to go would be to use ssh tunneling (which happens on the client side).

另一种方法是使用ssh隧道(在客户端发生)。

You'd do an ssh command like this:

你可以这样做一个ssh命令:

ssh -L 8022:myinsideserver:22 paul@myoutsideserver

That connects you to the machine that's accessible from the outside (myoutsideserver) and creates a tunnel through that ssh connection to port 22 (the standard ssh port) on the server that's only accessible from the inside.

这会将您连接到可从外部访问的计算机(myoutsideserver),并通过ssh连接到服务器上的端口22(标准ssh端口)创建一个隧道,该端口只能从内部访问。

Then you'd do another ssh command like this (leaving the first one still connected):

然后你会做另一个这样的ssh命令(让第一个仍然连接):

ssh -p 8022 paul@localhost

That connection to port 8022 on your localhost will then get tunneled through the first ssh connection taking you over myinsideserver.

然后,通过第一个ssh连接通过myinsideserver连接到本地主机上的端口8022的连接。

There may be something you have to do on myoutsideserver to allow forwarding of the ssh port. I'm double-checking that now.

您可能需要在myoutsideserver上执行某些操作以允许转发ssh端口。我现在仔细检查一下。

Edit

Hmmm. The ssh manpage says this: **Only the superuser can forward privileged ports. **

嗯。 ssh manpage说:**只有超级用户才能转发特权端口。 **

That sort of implies to me that the first ssh connection has to be as root. Maybe somebody else can clarify that.

这对我来说意味着第一个ssh连接必须是root用户。也许其他人可以澄清这一点。

It looks like superuser privileges aren't required as long as the forwarded port (in this case, 8022) isn't a privileged port (like 22). Thanks for the clarification Mike Stone.

只要转发端口(在本例中为8022)不是特权端口(如22),看起来就不需要超级用户权限。感谢Mike Stone的澄清。

4  

(In this example, I am assuming port 2222 will go to your internal host. $externalip and $internalip are the ip addresses or hostnames of the visible and internal machine, respectively.)

(在这个例子中,我假设端口2222将转到您的内部主机。$ externalip和$ internalip分别是可见内核和内部机器的IP地址或主机名。)

You have a couple of options, depending on how permanent you want the proxying to be:

您有几个选项,具体取决于您希望代理的持久性:

• Some sort of TCP proxy. On Linux, the basic idea is that before the incoming packet is processed, you want to change its destination—i.e. prerouting destination NAT:

  某种TCP代理。在Linux上,基本思想是在处理传入数据包之前,你想要改变它的目的地 - 即。预先路由目的地NAT:

  iptables -t nat -A PREROUTING -p tcp -i eth0 -d $externalip --dport 2222 --sport 1024:65535 -j DNAT --to $internalip:22

  iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ externalip --dport 2222 --sport 1024:65535 -j DNAT - to $ internalip:22

• Using SSH to establish temporary port forwarding. From here, you have two options again:

  使用SSH建立临时端口转发。从这里,您有两个选择:

  • Transparent proxy, where the client thinks that your visible host (on port 2222) is just a normal SSH server and doesn't realize that it is passing through. While you lose some fine-grained control, you get convenience (especially if you want to use SSH to forward VNC or X11 all the way to the inner host).

    透明代理,客户端认为您的可见主机(在端口2222上)只是一个普通的SSH服务器,并且没有意识到它正在通过。虽然您丢失了一些细粒度的控件,但您会获得方便(特别是如果您想使用SSH将VNC或X11一直转发到内部主机)。

    • From the internal machine: ssh -g -R 2222:localhost:22 $externalip

    从内部机器:ssh -g -R 2222:localhost:22 $ externalip

    • Then from the outside world: ssh -p 2222 $externalip

    然后来自外部世界:ssh -p 2222 $ externalip

    Notice that the "internal" and "external" machines do not have to be on the same LAN. You can port forward all the way around the world this way.

    请注意,“内部”和“外部”计算机不必位于同一LAN上。你可以通过这种方式向世界各地前进。

  • Forcing login to the external machine first. This is true "forwarding," not "proxying"; but the basic idea is this: You force people to log in to the external machine (so you control on who can log in and when, and you get logs of the activity), and from there they can SSH through to the inside. It sounds like a chore, but if you set up simple shell scripts on the external machine with the names of your internal hosts, coupled with password-less SSH keypairs then it is very straightforward for a user to log in. So:

    首先强制登录外部计算机。这是真正的“转发”,而不是“代理”;但基本的想法是这样的:你强迫人们登录到外部机器(这样你可以控制谁可以登录,何时登录,并获得活动的日志),然后从那里他们可以通过SSH连接到内部。这听起来像是一件苦差事,但如果你在外部机器上使用内部主机的名称设置简单的shell脚本,再加上无密码的SSH密钥对,那么用户登录就非常简单了。所以:

    • On the external machine, you make a simple script, /usr/local/bin/internalhost which simply runs ssh $internalip

    在外部机器上,您创建一个简单的脚本/ usr / local / bin / internalhost,它只运行ssh $ internalip

    • From the outside world, users do: ssh $externalip internalhost and once they log in to the first machine, they are immediately forwarded through to the internal one.

    用户可以从外部世界执行:ssh $ externalip internalhost,一旦登录到第一台机器,它们会立即转发到内部机器。

    Another advantage to this approach is that people don't get key management problems, since running two SSH services on one IP address will make the SSH client angry.

    这种方法的另一个优点是人们不会遇到密钥管理问题,因为在一个IP地址上运行两个SSH服务会使SSH客户端生气。

FYI, if you want to SSH to a server and you do not want to worry about keys, do this

仅供参考,如果您想通过SSH连接服务器并且不想担心密钥,请执行此操作

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

I have an alias in my shell called "nossh", so I can just do nossh somehost and it will ignore all key errors. Just understand that you are ignoring security information when you do this, so there is a theoretical risk.

我在我的shell中有一个名为“nossh”的别名,所以我可以只使用nossh somehost,它会忽略所有关键错误。只要明白你在执行此操作时忽略了安全信息,因此存在理论上的风险。

Much of this information is from a talk I gave at Barcamp Bangkok all about fancy SSH tricks. You can see my slides, but I recommend the text version as the S5 slides are kind of buggy. Check out the section called "Forward Anything: Simple Port Forwarding" for info. There is also information on creating a SOCKS5 proxy with OpenSSH. Yes, you can do that. OpenSSH is awesome like that.

这些信息大部分来自我在曼谷Barcamp所做的关于花哨的SSH技巧的演讲。你可以看到我的幻灯片,但我推荐文本版本,因为S5幻灯片有点儿。有关信息,请查看“转发任何内容:简单端口转发”一节。还有关于使用OpenSSH创建SOCKS5代理的信息。是的,你可以这样做。 OpenSSH很棒。

(Finally, if you are doing a lot of traversing into the internal network, consider setting up a VPN. It sounds scary, but OpenVPN is quite simple and runs on all OSes. I would say it's overkill just for SSH; but once you start port-forwarding through your port-forwards to get VNC, HTTP, or other stuff happening; or if you have lots of internal hosts to worry about, it can be simpler and more maintainable.)

(最后,如果您正在进行大量的内部网络遍历,请考虑设置VPN。这听起来很可怕,但OpenVPN非常简单并且可以在所有操作系统上运行。我会说这对于SSH来说太过分了;但是一旦你开始通过端口转发端口转发以获取VNC,HTTP或其他内容;或者如果您需要担心许多内部主机,它可以更简单,更易于维护。)

3  

@Mark Biek

I was going to say that, but you beat me to it! Anyways, I just wanted to add that there is also the -R option:

我打算这么说,但是你打败了我!无论如何,我只是想补充说还有-R选项:

ssh -R 8022:myinsideserver:22 paul@myoutsideserver

The difference is what machine you are connecting to/from. My boss showed me this trick not too long ago, and it is definitely really nice to know... we were behind a firewall and needed to give external access to a machine... he got around it by ssh -R to another machine that was accessible... then connections to that machine were forwarded into the machine behind the firewall, so you need to use -R or -L based on which machine you are on and which you are ssh-ing to.

不同之处在于您连接到/来自的机器。不久前,我的老板向我展示了这个技巧,我很高兴知道......我们在防火墙后面并需要外部访问机器...他通过ssh -R到达另一台机器那是可访问的...然后连接到该机器被转发到防火墙后面的机器,所以你需要根据你所在的机器和你正在使用的机器使用-R或-L。

Also, I'm pretty sure you are fine to use a regular user as long as the port you are forwarding (in this case the 8022 port) is not below the restricted range (which I think is 1024, but I could be mistaken), because those are the "reserved" ports. It doesn't matter that you are forwarding it to a "restricted" port because that port is not being opened (the machine is just having traffic sent to it through the tunnel, it has no knowledge of the tunnel), the 8022 port IS being open and so is restricted as such.

此外,我很确定你可以使用普通用户,只要你转发的端口(在这种情况下是8022端口)不低于限制范围(我认为是1024,但我可能会弄错) ,因为那些是“保留”的端口。将它转发到“受限”端口并不重要,因为该端口未被打开(机器只是通过隧道发送流量,它不知道隧道),8022端口IS是开放的,因此受到限制。

EDIT: Just remember, the tunnel is only open so long as the initial ssh remains open, so if it times out or you exit it, the tunnel will be closed.

编辑:请记住,只要初始ssh保持打开,隧道才会打开,因此如果它超时或退出,隧道将被关闭。

0  

You can use Port Fowarding to do this. Take a look here:

您可以使用Port Fowarding执行此操作。看看这里:

http://portforward.com/help/portforwarding.htm

There are instructions on how to set up your router to port forward request on this page:

有关如何在此页面上设置路由器到端口转发请求的说明:

http://www.portforward.com/english/routers/port_forwarding/routerindex.htm

0  

In Ubuntu, you can install Firestarter and then use it's Forward Service feature to forward the SSH traffic from a non standard port on your machine with external access to port 22 on the machine inside your network.

在Ubuntu中,您可以安装Firestarter,然后使用它的转发服务功能从您计算机上的非标准端口转发SSH流量,并对网络内部计算机上的端口22进行外部访问。

On OS X you can edit the /etc/nat/natd.plist file to enable port fowarding.

在OS X上,您可以编辑/etc/nat/natd.plist文件以启用端口转发。

0  

Without messing around with firewall rules, you can set up a ~/.ssh/config file.

在不搞乱防火墙规则的情况下,您可以设置〜/ .ssh / config文件。

Assume 10.1.1.1 is the 'gateway' system and 10.1.1.2 is the 'client' system.

假设10.1.1.1是“网关”系统,10.1.1.2是“客户”系统。

Host gateway
  Hostname 10.1.1.1 
  LocalForward 8022 10.1.1.2:22 

Host client
  Hostname localhost
  Port 8022

You can open an ssh connection to 'gateway' via:

您可以通过以下方式打开与“网关”的ssh连接:

ssh gateway

In another terminal, open a connection to the client.

在另一个终端中,打开与客户端的连接。

ssh client