Once again about port forwarding due to firewall
Good day.
I decided to write this post for several reasons:
1) Sometimes it is easier to give a link to an article than a hundred and first time telling a person what he needs to do and where you can read about all this.
2) There is a need to bring knowledge into the system. And best of all, if you tell it to another person.
3) Purely mercenary interest - I want to invite.
So. Formulation of the problem.
There is a workplace ( W ), closed by a router. There is a home computer ( H ), from which it is necessary to periodically access the desktop W , and which does not have a “white” IP.
Changing something in the settings of the router is impossible. Use TeamViewer & Co. - not our way.
Variants of the decision.
If we discard third-party programs, then only 2 options remain:
')
I will show the implementation of the second option.
So, we will agree that for simplicity all machines work under Linux. Port forwarding will be through an SSH connection. Therefore, even a simple VDS will be suitable as an intermediate server.
And one more note - SSHd on VDS must allow connection to the forwarded port from another address. It is important! You can allow this by
The scheme of work is as follows:
1) The W machine checks if anyone wants to connect to me? (Details - below)
2) If not, then do not do anything. If yes, then establish an SSH connection with the VDS server.
3) The H machine connects the VNC client to the VDS: 5900 - and accesses the W desktop.
4) Profit!
A separate question - what can serve as a flag about the need to connect ?? I solved this question simply. The need for a connection is indicated by the presence of an open port (well, for example, 5995) on the VDS . If the port is open, then we establish an SSH connection and forward ports, if it is closed, it means we close an unnecessary SSH channel until the next session.
Now some scripts:
Check if someone wants access to the table?
check every 15 minutes.
Script to check open port in python-e
Actually bash connect_flag.sh script, which implements the operation logic
That's all. What I would like to draw attention to:
Thanks to everyone who read this post to the end.
I decided to write this post for several reasons:
1) Sometimes it is easier to give a link to an article than a hundred and first time telling a person what he needs to do and where you can read about all this.
2) There is a need to bring knowledge into the system. And best of all, if you tell it to another person.
3) Purely mercenary interest - I want to invite.
So. Formulation of the problem.
There is a workplace ( W ), closed by a router. There is a home computer ( H ), from which it is necessary to periodically access the desktop W , and which does not have a “white” IP.
Changing something in the settings of the router is impossible. Use TeamViewer & Co. - not our way.
Variants of the decision.
If we discard third-party programs, then only 2 options remain:
- “Stretch” port 5900 to a white IP from either side ( W or H ). Then just connect the VNC client to this address.
- Use an intermediate server to connect. The advantages of this option are that there is no need to change anything in the security system of the working and home servers.
')
I will show the implementation of the second option.
So, we will agree that for simplicity all machines work under Linux. Port forwarding will be through an SSH connection. Therefore, even a simple VDS will be suitable as an intermediate server.
And one more note - SSHd on VDS must allow connection to the forwarded port from another address. It is important! You can allow this by
GatewayPorts yes to sshd_config. Do not forget after this to overload the service $ sudo /etc/init.d/ssh restartThe scheme of work is as follows:
1) The W machine checks if anyone wants to connect to me? (Details - below)
2) If not, then do not do anything. If yes, then establish an SSH connection with the VDS server.
3) The H machine connects the VNC client to the VDS: 5900 - and accesses the W desktop.
4) Profit!
A separate question - what can serve as a flag about the need to connect ?? I solved this question simply. The need for a connection is indicated by the presence of an open port (well, for example, 5995) on the VDS . If the port is open, then we establish an SSH connection and forward ports, if it is closed, it means we close an unnecessary SSH channel until the next session.
Now some scripts:
Check if someone wants access to the table?
$ crontab -u root -e
*/15 * * * * /usr/bin/connect_flag.sh
check every 15 minutes.
Script to check open port in python-e
import socket import subprocess def scan(host, port): while 1: sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: sd.connect((host, port)) except: return 0 else: sd.close() return 1 if __name__ == '__main__': if scan('yourServer', 5995): print 'start' else: print 'stop' Actually bash connect_flag.sh script, which implements the operation logic
#!/bin/bash export PATH=$PATH:/bin:/usr/bin:/usr/local/bin PID=`/bin/ps ux | awk '/ssh -N username/ && !/awk/ {print $2}'` FLAG=`/usr/bin/python /var/Script/portscan.py` PARAM="-N username@yourVDS -R 5900:127.0.0.1:5900" if [ $PID ]; then if [ $FLAG == 'stop' ]; then `kill $PID`; fi else if [ $FLAG == 'start' ]; then /usr/bin/ssh $PARAM & fi fi That's all. What I would like to draw attention to:
- on the VDS server - we allow connection to the forwarded port from an external address.
- on the H machine, only the VNC client is required. And that's all.
- on the W machine - all scripts are processed. And debugging them is the hardest part.
- You can open the port-flag banal nc -vv -l 5995 on a VDS server.
Thanks to everyone who read this post to the end.
Source: https://habr.com/ru/post/116747/
All Articles