linux 遠程本地端口映射

linux 遠程本地端口映射

端口映射,包括本地端口映射和遠程端口映射.本文介紹兩種可行的辦法:iptables 和 ssh.下面我們來介紹這兩種方法的使用方式.

本地主機IP A:192.168.1.119

遠程主機IP B:192.168.1.120

方法

1:ssh 方式:

-N 不執行遠程命令. 用於轉發端口. (僅限協議第二版)

     -L port:host:hostport
             將本地機(客戶機)的某個端口轉發到遠端指定機器的指定端口. 工作原理是這樣的, 本地機器上分配了一個 socket 偵聽
             port 端口, 一旦這個端口上有了連接, 該連接就經過安全通道轉發出去, 同時遠程主機和 host 的 hostport 端口建立連接.
             可以在配置文件中指定端口的轉發. 只有 root 才能轉發特權端口. IPv6 地址用另一種格式說明: port/host/hostport

     -R port:host:hostport
             將遠程主機(服務器)的某個端口轉發到本地端指定機器的指定端口. 工作原理是這樣的, 遠程主機上分配了一個 socket 偵聽
             port 端口, 一旦這個端口上有了連接, 該連接就經過安全通道轉向出去, 同時本地主機和 host 的 hostport 端口建立連接.
             可以在配置文件中指定端口的轉發. 只有用 root 登錄遠程主機才能轉發特權端口. IPv6 地址用另一種格式說明:
             port/host/hostport

1.1: 使用-R參數:

遠程映射: ssh -N -R 9876:127.0.0.1:22192.168.1.120 , 意思將遠程主機port(9876)端口映射到本地主機host(192.168.1.119)的本地端口hostport(22)上面.192.168.1.120是輸這個命令時訪問的遠程主機. 因爲遠程主機偵聽9876端口,所以遠程主機訪問9876端口就相當於訪問192.168.1.119的22端口了.

測試結果:

A(119):

[root:user] ssh -N -R 9876:127.0.0.1:22 192.168.1.120
[email protected]'s password:

B(120):

<user:work> ssh 127.0.0.1 -p 9876
[email protected]'s password:
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 19:12:53 2013 from debian.local
[user:~] ifconfig
eth0      Link encap:Ethernet HWaddr 08:00:27:e4:81:9d
          inet addr:192.168.1.119 Bcast:192.168.255.255 Mask:255.255.0.0                #120已經成功訪問到119機器
          inet6 addr: fe80::a00:27ff:fee4:819d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:2527825 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2946303 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1142752654 (1.0 GiB) TX bytes:3537921035 (3.2 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:3658 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3658 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:492528 (480.9 KiB) TX bytes:492528 (480.9 KiB)

[user:~]

本地映射: 同理 : ssh -N -R 9876:127.0.0.1:22127.0.0.1, 意思將遠程主機port(9876)端口映射到本地主機host(192.168.1.119)的本地端口hostport(22)上面.127.0.0.1是輸這個命令時訪問的遠程主機(實際上用的是本機IP).

測試結果:

A(119):

[root:user] ssh -N -R 9876:127.0.0.1:22 127.0.0.1
[email protected]'s password:

A(120)

[user:work] ssh 127.0.0.1 -p 9876
ssh: connect to host 127.0.0.1 port 9876: Connection refused
[user:work] ssh 127.0.0.1 -p 9876
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 19:29:00 2013 from localhost
[user:~] #已經成功登陸到shell,從/work目錄進入到了user的根用戶目錄

1.2: 使用-L參數:

遠程映射: ssh -N -L 9876:192.168.1.120:22127.0.0.1, 意思將本地主機port(9876)端口映射到遠程主機host(192.168.1.120)的遠程端口hostport(22)上面.192.168.1.119是輸這個命令時捆定的本地主機. 因爲本地主機偵聽9876端口,所以本地主機訪問9876端口就相當於訪問192.168.1.120的22端口了.

測試結果:

A(119):

[root:user] ssh -N -L 9876:192.168.1.120:22 127.0.0.1
[email protected]'s password:

A(119):

[user:~] ssh 127.0.0.1 -p 9876
[email protected]'s password:
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 19:45:30 2013 from debian.local
<user:~> ifconfig
eth0      Link encap:Ethernet HWaddr 08:00:27:e4:81:9d
          inet addr:192.168.1.120 Bcast:192.168.255.255 Mask:255.255.0.0     #119已經成功訪問到120機器
          inet6 addr: fe80::a00:27ff:fee4:819d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:13528 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1731 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1304332 (1.2 MiB) TX bytes:331565 (323.7 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:774 errors:0 dropped:0 overruns:0 frame:0
          TX packets:774 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:104032 (101.5 KiB) TX bytes:104032 (101.5 KiB)

<user:~>

本地映射: 同理,也就不多說了,大家可以自己嘗試一下.

2:iptables 方式:

將與 9876 端口的 TCP 連接轉接到本地的 22端口上。使用 DNAT (Destination Network Address Translation) 技術可以滿足這一要求。

因爲 iptables 在處理本地連接和遠程連接的方法不同，所以需要分開處理。

2.1:遠程連接

遠程連接指的是由另外一臺機器連接到這臺機器上。這種連接的數據包在 iptables 會首先經過 PREROUTING 鏈，所以只需在 PREROUTING 鏈中作 DNAT。
# iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.119 --dport 9876 -j DNAT --to 192.168.1.120:22

2.2:本地連接

本地連接指的是在本機上，用 127.0.0.1 或者本機 IP 來訪問本機的端口。本地連接的數據包不會通過網卡，而是由內核處理後直接發給本地進程。這種數據包在 iptables 中只經過 OUTPUT 鏈，而不會經過 PREROUTING 鏈。所以需要在 OUTPUT 鏈中進行 DNAT。除了對127.0.0.1 之外，對本機 IP (即 192.168.1.119) 的訪問也屬於本地連接。
# iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 9876 -j DNAT --to 127.0.0.1:22

# iptables -t nat -A OUTPUT -p tcp -d 192.168.1.119 --dport 9876 -j DNAT --to 127.0.0.1:22

測試結果:

A(119):

[root:src]
[root:src] iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root:src] iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 9876 -j DNAT --to 127.0.0.1:22
[root:src] iptables -t nat -A OUTPUT -p tcp -d 192.168.1.119 --dport 9876 -j DNAT --to 127.0.0.1:22
[root:src] iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp -- 0.0.0.0/0            127.0.0.1            tcp dpt:9876 to:127.0.0.1:22
DNAT       tcp -- 0.0.0.0/0            192.168.1.119        tcp dpt:9876 to:127.0.0.1:22

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root:src]

A(119):

[user:src]
[user:src] ssh 192.168.1.119 -p 9876
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 19:33:43 2013 from localhost
[user:~] 登出
Connection to 192.168.1.119 closed.
[user:src] ssh 127.0.0.1 -p 9876
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 20:12:54 2013 from debian.local
[user:~] 登出
Connection to 127.0.0.1 closed.
[user:src]

linux 遠程本地端口映射

方法

2.1:遠程連接

2.2:本地連接

Ｃ＋＋　重載運算符

linux 路由表功能解析

linux 遠程本地端口映射

[svn] 一個版本庫對應一個項目 svn服務務器搭建祥解

Debian 修改/tmp大小

Mac下配置sublime實現LaTeX

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結