如何使用反向SSH隧道绕过防火墙和NAT [英] How to bypass firewall and NAT with reverse SSH Tunnel
问题描述
我正在尝试在路由器后面的计算机中生成SSH服务器.
首先,我尝试将SSH绑定到我的公共IP地址:
ssh -R 10002:localhost:22 <ip_address>
然后提示输入密码,但是我的用户名密码似乎无效.
很明显,我知道我的用户名密码,因此在我看来,它正在尝试在同一网络下的另一台计算机中进行身份验证.
任何建议如何解决此问题?
如果您无权访问路由器,那么如何在路由器后创建SSH服务器的任何其他选择也将为我提供帮助.
iptables中的端口都已打开.
更新
根据 Thomas Oster 的建议,我尝试了以下方法.
在路由器后面的机器中,我执行了以下命令:
$ ssh -R10002:localhost:22 <remote_public_ip_address> -l <my_remote_server_username>
<remote_ip_address>是具有我完全控制的公用IP和SSH服务器的服务器的remote_ip_address.
<my_remote_server_username>是远程服务器用户名.
之后,我尝试像这样从远程服务器连接到路由器后面的服务器:
$ ssh -p 10002 <remote_public_ip_address>
但是此命令显示以下输出:
ssh: connect to host <remote_public_ip_address> port 10002: Connection refused
因此,我使用以下命令在iptables防火墙中打开了10002端口:
sudo iptables -A INPUT -p tcp --dport 10002 -j ACCEPT
之后,我再次执行了命令,但是它显示了相同的错误消息.
在路由器后面的机器中,所有端口都在iptables中打开.
更新2
您必须允许在/etc/ssh/sshd_config中的端口转发 remove_public_ip_address服务器
我尝试添加以下命令在sshd_config文件中允许端口转发:
LocalForward 10002 <my_remote_public_server_ip>:22
但是它给了我这个错误信息:
Bad configuration option: LocalForward
在"ssh -R ...."之后,您是否让窗口保持打开状态?
执行该命令后,它会连接到远程公共计算机,是的,我让窗口保持打开状态.
在公共服务器上可以使用ssh -p 10002 localhost吗 隧道创建了吗?
是的,如果我在公共服务器上执行该命令,它将在询问我凭据后连接.
请在路由器后面的计算机上尝试"ssh localhost",以检查sshd是否正在运行并正常工作.
这也可以.
更新3
我终于能够使其工作(再次感谢 Thomas Oster )
我们将使用三台机器
目标计算机:我们要连接的目标计算机.
中间机:充当连接中介的服务器(在我的情况下为Linode)
家用计算机:我们将在其中访问目标计算机的地方.
这些是我遵循的步骤
第1步:
[destination computer]$ vi /etc/ssh/sshd_config
添加GatewayPorts选项:
GatewayPorts是
重新启动ssh.
第2步:
[destination computer]$ ssh -R 4040:localhost:22 middle-machine-user@middle-machine-public-ip
这将通过端口4040将您的公用计算机与目标计算机链接
它将连接到中间机并提示终端,您必须将此选项卡保持打开状态.
第3步:
在家连接:
ssh destination-user@destination-ip -p4040
或从中间机连接:
[home computer]$ ssh middle-machine-user@middle-machine-ip
[middle computer]$ ssh destination-user@localhost -p4040
是否在公共"ip_address"上运行ssh服务器?您想要做的是打开ssh连接到"ip_address",然后将端口10002上的任何传入请求通过隧道传送到localhost:22".
如果"ip-address"是dsl路由器的公共IP地址,则必须在路由器的配置中创建端口转发到主机的端口:22.
如果您没有访问路由器的权限,那么唯一的可能就是访问Internet上运行ssh的另一台服务器,并从中建立隧道.
# open a session to the public available machine and create a tunnel from port 10002 back to your local sshd (22)
ssh -R 10002:localhost:22 ip_of_public_server
# as long as this session is open, all calls to the public available machine on port 10002 will be tunneled to your local machine (make sure sshd is running on port 22)
ssh -p 10002 ip_of_public_server
I'm trying to generate an SSH server in a machine behind a router.
First I tried to bind the SSH to my public IP address:
ssh -R 10002:localhost:22 <ip_address>
Then I'm prompted with a password request, however my username password doesn't seem to work.
Obviously I know my username password, so it seems to me that it's trying to authenticate in another computer under the same network.
Any suggestions how to fix this?
It would also help me any alternative on how to create an SSH server behind a Router when you don't have access to the Router.
The ports in iptables are all open.
UPDATE
As suggested by Thomas Oster answer I've tried the following.
In the machine behind the router I've executed the following command:
$ ssh -R10002:localhost:22 <remote_public_ip_address> -l <my_remote_server_username>
<remote_ip_address> being the remote_ip_address of a server with public IP and SSH server on which I have full control.
<my_remote_server_username> being the remote server username.
After that, I've tried to connect from the remote server to the server behind the router like this:
$ ssh -p 10002 <remote_public_ip_address>
However this command displays the following output:
ssh: connect to host <remote_public_ip_address> port 10002: Connection refused
So I opened the 10002 port in the iptables firewall using the following command:
sudo iptables -A INPUT -p tcp --dport 10002 -j ACCEPT
After that I've executed again the command but it displays the same error message.
In my machine behind the router I have all ports open in iptables.
UPDATE 2
You have to allow port-forwarding in the /etc/ssh/sshd_config of the remove_public_ip_address server
I've tried to allow portforwarding in the sshd_config file adding this command:
LocalForward 10002 <my_remote_public_server_ip>:22
But it gave me this error message:
Bad configuration option: LocalForward
After "ssh -R...." did you leave the window open?
After executing that command, it connects to the remote public machine, and yes, I left the window open.
Can you use ssh -p 10002 localhost on the public server after the tunnel is created?
Yes, if I execute that command in the public server, it connects after asking me for credentials.
Please try "ssh localhost" on the machine behind the router to check if sshd is running and working.
This also works.
UPDATE 3
I've been finally able to make it work (thanks again to Thomas Oster)
We are going to work with three machines:
Destination Machine: That we want to connect to.
Middle Machine: A server acting as an intermediary for the connection (a Linode in my case)
Home Computer: Where we will access to the destination machine.
These are the steps I followed
Step 1:
[destination computer]$ vi /etc/ssh/sshd_config
Add the GatewayPorts option:
GatewayPorts yes
Restart ssh.
Step 2:
[destination computer]$ ssh -R 4040:localhost:22 middle-machine-user@middle-machine-public-ip
This will link your public machine with your destination computer via port 4040
It will connect to the middle machine and prompt the terminal, you must leave this tab open.
Step 3:
Connect from home:
ssh destination-user@destination-ip -p4040
Or connect from the middle machine:
[home computer]$ ssh middle-machine-user@middle-machine-ip
[middle computer]$ ssh destination-user@localhost -p4040
Is there a ssh-server running on the public "ip_address"? What you're trying to do is "open ssh connection to "ip_address" and then tunnel any incoming request on port 10002 to localhost:22".
If "ip-address" is the public IP address of your dsl-router, you have to create a port-forwarding in the router's configuration to your host:22.
If you do not have access to the router, the only possible thing would be if you had access to another server running ssh in the internet, from which you can tunnel.
# open a session to the public available machine and create a tunnel from port 10002 back to your local sshd (22)
ssh -R 10002:localhost:22 ip_of_public_server
# as long as this session is open, all calls to the public available machine on port 10002 will be tunneled to your local machine (make sure sshd is running on port 22)
ssh -p 10002 ip_of_public_server
这篇关于如何使用反向SSH隧道绕过防火墙和NAT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
