Eri*_*itt 28 ssh port forwarding
我有一个我们称之为 hub-server.tld 的服务器,它有三个 IP 地址:100.200.130.121、100.200.130.122 和 100.200.130.123。我在防火墙后面有三台不同的机器,但我想使用 SSH 将一台机器端口转发到每个 IP 地址。例如:第一台机器应该在 100.200.130.121 上的端口 22 上监听 SSH,而第二台机器应该在 100.200.130.122 上做同样的事情,对于所有机器上可能相同的端口上的不同服务,依此类推。
SSH 手册页-R [bind_address:]port:host:hostport列出了我启用了网关端口,但是当使用-R特定 IP 地址时,服务器仍然在所有接口上侦听端口:
# ssh -NR 100.200.130.121:22:localhost:22 root@hub-server.tld
# netstat -tan | grep LISTEN
tcp 0 0 100.200.130.121:2222 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
有没有办法让 SSH 仅将特定 IP 地址上的连接转发到一台机器,以便我可以同时侦听其他 IP 地址上的端口 22,或者我必须对 iptables 做些什么?以下是我的 ssh 配置中所有不是注释/默认值的行:
Port 2222
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
ClientAliveInterval 30
ClientAliveCountMax 1000000
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
mgo*_*ven 41
来自sshd_config(5):
网关端口
Run Code Online (Sandbox Code Playgroud)Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be “no” to force remote port forwardings to be available to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the address to which the forwarding is bound. The default is “no”.
您想将此设置为clientspecified而不是yes.