SSH tunnels - forward port
It is not always possible, and it is not always necessary, to build a full-fledged tunnel with an interface pair of addresses. Sometimes we only need to “flush” certain ports.
Here it is important to understand that the tunnel can be organized as from inside the network, the resources of which you want to access, on an external ssh server. You can also organize a tunnel from a host on the Internet to the edge ssh server of the network in order to gain access to internal resources.
So. In order.
We build a tunnel from the network to the world.
')
Now enter 99.88.77.66 on the host:
we will get to the host 10.11.12.13.
In the same way, you can access any other resource, for example:
Having entered on the host 99.88.77.66:
we will receive a dump of a web resource on 10.11.12.14.
We build a tunnel from the world to the network.
Similarly, we enter on our host:
and get access to the web-site resource 192.168.0.10, which is located behind the host 88.77.66.55.
Keep the tunnels up
It's no secret that the connection is sometimes broken, the tunnels at the same time will fall off on timeout.
In order not to bother with additional monotonous driving a team to lift the tunnel and monitoring this process, we will automate it. Feel free to enter:
$ crontab -e
and create a schedule similar to the following:
Persist. Check by
that the schedule is accepted.
This is just one more moment of the special admin magic ... I hope that there shouldn't be too many questions. Additional ssh options can be found in
According to practical experience - cron-restart tasks are absolutely not enough.
Is that the connection is absolutely stable. In real life, is found in 0% of cases.
Even two network cards connected directly by cable can easily lose the n-th number of packets and the tcp connection will “fall”.
The client and the server will remain in the holy confidence that everything is in order, just the second side does not transmit anything.
Need keepalive.
Like that:
Interval and counter - to taste.
They must be added either to / etc / ssh_config, or to ~ / .ssh / config, or directly in the command using the -o option.
In principle, judging by man ssh_config, the first option can be omitted. but just in case, let it be.
Here it is important to understand that the tunnel can be organized as from inside the network, the resources of which you want to access, on an external ssh server. You can also organize a tunnel from a host on the Internet to the edge ssh server of the network in order to gain access to internal resources.
So. In order.
We build a tunnel from the network to the world.
')
$ ssh -f -N -R 2222: 11.10.12.13: 22 username@99.88.77.66
Now enter 99.88.77.66 on the host:
$ ssh -p2222 localhost
we will get to the host 10.11.12.13.
In the same way, you can access any other resource, for example:
$ ssh -f -N -R 2080: 11/10/12/14: 80 username@99.88.77.66
Having entered on the host 99.88.77.66:
$ w3m -dump http: // localhost: 2080
we will receive a dump of a web resource on 10.11.12.14.
We build a tunnel from the world to the network.
$ ssh -f -N -L 4080: 192.168.0.10: 80 nameuser@88.77.66.55
Similarly, we enter on our host:
$ w3m -dump http: // localhost: 4080
and get access to the web-site resource 192.168.0.10, which is located behind the host 88.77.66.55.
Keep the tunnels up
It's no secret that the connection is sometimes broken, the tunnels at the same time will fall off on timeout.
In order not to bother with additional monotonous driving a team to lift the tunnel and monitoring this process, we will automate it. Feel free to enter:
$ crontab -e
and create a schedule similar to the following:
TUNCMD1 = 'ssh -f -N -R 2222: 10.11.12.13: 22 username@99.88.77.66' TUNCMD2 = 'ssh -f -N -R 2080: 10.11.12.14: 80 username@99.88.77.66' * / 5 * * * * pgrep -f "$ TUNCMD1" &> / dev / null || $ TUNCMD1 * / 5 * * * * pgrep -f "$ TUNCMD2" &> / dev / null || $ TUNCMD2
Persist. Check by
$ crontab -l
that the schedule is accepted.
This is just one more moment of the special admin magic ... I hope that there shouldn't be too many questions. Additional ssh options can be found in
$ man 1 ssh
According to practical experience - cron-restart tasks are absolutely not enough.
Is that the connection is absolutely stable. In real life, is found in 0% of cases.
Even two network cards connected directly by cable can easily lose the n-th number of packets and the tcp connection will “fall”.
The client and the server will remain in the holy confidence that everything is in order, just the second side does not transmit anything.
Need keepalive.
Like that:
TCPKeepAlive yes ServerAliveInterval 300 ServerAliveCountMax 3
Interval and counter - to taste.
They must be added either to / etc / ssh_config, or to ~ / .ssh / config, or directly in the command using the -o option.
In principle, judging by man ssh_config, the first option can be omitted. but just in case, let it be.
Source: https://habr.com/ru/post/81607/
All Articles