network level allows only outbound. Using four hosts, an appliance,
admin console (alanis), general purpose machine (smallfry) and a
workstation. Alanis creates the reverse tunnel with smallfry,
forwaring any traffic arriving at smallfry:2022, to appliance:22.
ssh -R 0:2022:localhost:22 peter@smallfry.dyndns.org
-R reverse tunnel
0 is the interface on smallfry, zero or * means any
:2022 is the listening port to bind on smallfry
:localhost replays the traffic to alanis' internal interface, it could
be any IP alanis can talk to
:22 is the interface to forward to on the destination machine
peter@smallfry.dyndns.org is the account and public name of the second machine.
-f -N (fork, no command) are also useful parameters to create the
tunnel and not create a command session or wait.
The diagram shows 192.168.2.7 as an applicance with a 22 listener.
ssh -R 0:2022:192.168.2.7:22 peter@smallfry.dyndns.org
The workstation issues a connection to smallfry:2022
or
ssh smallfry -p 2022
Green is the reverse tunnel, the secure network creates an inward path.
Black is tunnelled.
The item *:2022 in netstat -l (below) is the listener bound.
The smallfry device will only bind its network side, as opposed to
localhost side if GatewayPorts is yes in sshd_config. Otherwise it
will bind localhost:2022.
peter@alanis:~$ ssh -R 0:2022:localhost:22 peter@smallfry.dyndns.org
peter@smallfry.dyndns.org's password:
Linux smallfry 3.6.11+ #538 PREEMPT Fri Aug 30 20:42:08 BST 2013 armv6l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jan 16 01:12:08 2014 from static-77-257-227-57.rcmdpa.myisp.net
peter@smallfry ~ $ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:3128 *:* LISTEN
tcp 0 0 localhost:4700 *:* LISTEN
tcp 0 0 *:afpovertcp *:* LISTEN
tcp 0 0 *:2022 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
udp 0 0 smallfry.home:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp 0 0 *:36284 *:*
udp 0 0 *:38369 *:*
udp 0 0 *:mdns *:*
udp 0 0 *:icpv2 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:10855 *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 2753
/var/run/dbus/system_bus_socket
unix 2 [ ACC ] SEQPACKET LISTENING 481 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 2791
/var/run/avahi-daemon/socket
peter@smallfry ~ $
peter@smallfry ~ $ grep Gate /etc/ssh/sshd_config
GatewayPorts yes
peter@smallfry ~ $
No comments:
Post a Comment