ssh 远程端口转发：连接被拒绝

Question

尝试建立远程 ssh 端口转发：

在我的远程主机上，/etc/ssh/sshd_config

客户端指定的网关端口

在我的本地计算机上：

ssh -g -R 1234:0.0.0.0:8000 me@my-remote-host

通过调试，我们可以阅读：

debug1: Authentication succeeded (publickey).
Authenticated to s1.bux.fr ([178.32.223.76]:22).
debug1: Remote connections from LOCALHOST:1234 forwarded to local address 0.0.0.0:8000
debug2: fd 3 setting TCP_NODELAY
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: remote forward success for: listen 1234, connect 0.0.0.0:8000
debug1: All remote forwarding requests processed

在远程主机上，我们可以联系 1234 端口（WSGIServer/0.2 CPython/3.4.3是本地机器的 8000 端口）：

# http :1234
HTTP/1.0 302 Found
Content-Type: text/html; charset=utf-8
Date: Wed, 19 Oct 2016 13:26:00 GMT
Location: /accounts/login/
Server: WSGIServer/0.2 CPython/3.4.3
Vary: Cookie
X-Frame-Options: SAMEORIGIN

我们可以查看打开的端口：

# netstat -tupln | grep 1234
tcp        0      0 127.0.0.1:1234          0.0.0.0:*               LISTEN      14460/1         
tcp6       0      0 ::1:1234                :::*                    LISTEN      14460/1

但是，从世界上的另一台机器，我无法联系my-remote-host:1324：

# http my-remote-host:1234

http: error: ConnectionError: HTTPConnectionPool(host='my-remote-host', port=1234): Max retries exceeded with url: / (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0xb6b2fbec>: Failed to establish a new connection: [Errno 111] Connection refused',)) while doing GET request to URL: http://my-remote-host:1234/

我的远程主机上没有防火墙：

# iptables -L
[sudo] password for bux: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-sshd  tcp  --  anywhere             anywhere             multiport dports ssh
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

如何找到它阻塞的地方？

Answer 1

tcp   0   0 127.0.0.1:1234    0.0.0.0:*               LISTEN   14460/1         

在 netstat 的输出中可以很好地看到问题。您的远程机器正在侦听 127.0.0.1:1234，该地址仅可用于该机器的本地连接。

要使 ssh -g（网关选项）工作，您必须指定通配符地址或可从外部客户端访问的某些接口地址，例如：

ssh -g -R 0.0.0.0:1234:0.0.0.0:8000 me@my-remote-host

Answer 2

找到的解决方案是https://superuser.com/questions/588591/how-to-make-ssh-tunnel-open-to-public：

我们必须像这样设置绑定地址：

ssh -R 0.0.0.0:1234:0.0.0.0:8000 me@my-remote-host