SSH隧道通过Ubuntu堡垒到达私有子网中的EC2实例 [英] SSH Tunnel through Ubuntu bastion to EC2 instance in private subnet

问题描述

根据该AWS文档：场景2：具有公共和私有功能的VPC子网（NAT）我有自己的VPC，其中有两个子网：私有和公共。在公共子网中，我已部署了分配了EIP的Ubuntu 16.04实例。它还具有下一个安全组入站规则：

According this AWS doc: Scenario 2: VPC with Public and Private Subnets (NAT) I have my own VPC with two subnets: private and public. In public subnet I have deployed an Ubuntu 16.04 Instance with assigned EIP. It also has next security group inbound rules:

Type   Protocol Port Range Source            Description
SSH    TCP      22         xx.xx.xx.xx/32    Home IP

并据此出站：

Type   Protocol Port Range Source            Description
SSH    TCP      22         sg-xxprivatexx    Security group ID for instance in private subnet

看起来不错，我可以在家里从外部 ssh 。没问题。

Looks nice, I can ssh it externally from my home. No problem.

我在专用子网中部署了另一台具有下一个安全组（入站规则）的Ubuntu 16.04计算机：

In private subnet I have deployed another one Ubuntu 16.04 machine with next security group (inbound rules):

Type   Protocol Port Range Source            Description
HTTP   TCP      80         sg-xxpublicxxx    Security Group ID for bastion instance in public subnet
SSH    TCP      22         sg-xxpublicxxx    -

，并且没有出站规则（实际上它打开了80、443个出站端口，但是对于我来说这并不是一个有趣的部分猜测）。而且我仍然可以使用本营上的 ssh 到达此虚拟机。

and no outbound rules (actually it has 80, 443 outbound ports opened, but its not an interesting part as I guess). And I still can reach this virtual machine using ssh from my bastion.

现在我只想制作一个简单的事情-运行ssh端口转发，以便我可以在家用PC浏览器上运行localhost：8080并查看我在私有实例上发布的网页。如果我从此处和此处（来自此处也是如此）我必须运行以下内容：

Right now I just want to make only one simple thing - run ssh port forwarding so I can run localhost:8080 on my home PC browser and see the webpage I published on my private instance. If I understand it correctly from here and here (and from here as well) I have to run something like:

 ssh -N -v -L 8080:10.0.1.112:80 ubuntu@3.121.46.99

我想这基本上是指：仅转发IP ubuntu 10.0.1.112:80 到我的 localhost：8080 >托管在EIP 3.121.46.99 。

Which as I guess basically means: just forward a traffic from private subnet instance with IP 10.0.1.112:80 to my localhost:8080 through my bastion VM with username ubuntu hosted on EIP 3.121.46.99.

调试以以下行结束：

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:ZyVHgnF8z5vE5gfNr1S2JDfjhdydZVTNevPRgJZ+sRA /home/matterai/.ssh/key.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matterai/.ssh/id_rsa
debug1: Trying private key: /home/matterai/.ssh/id_dsa
debug1: Trying private key: /home/matterai/.ssh/id_ecdsa
debug1: Trying private key: /home/matterai/.ssh/id_ed25519
debug1: No more authentication methods to try.
matterai@3.121.46.99: Permission denied (publickey).

我在附近玩了几天，但仍然无法理解我做错了什么。真奇怪：我可以 ssh -A （允许转发）到我的堡垒，我可以 ssh 到我的私人堡垒堡垒的实例。但是我无法建立SSH隧道来查看我的网页（将来将是mongodb）而不会出现错误。需要一些建议或指向正确的方向！谢谢。

I am playing around it few days and I still can't get what am I doing wrong. Its so strange: I can ssh -A (to allow forwarding) to my bastion, I can ssh to my private instance from bastion. But I cant establish SSH tunnel to see my webpage (in the future it will be mongodb) without an error. Need some advice or point to the right direction, please! Thank you.

UPD＃1

然后。如果我使用本地计算机和堡垒进行手动转发，将会得到预期的结果。基本上，这意味着在堡垒上运行此命令：

Ok then. If I make manual forwarding using my local machine and my bastion, I get an expected result. Basically it means run this command on bastion:

ubuntu@bastion: ssh -v -N -L 5000:localhost:8000 ubuntu@10.0.1.68

之后在本地/家用计算机上运行命令：

After that runs command on local/home machine:

matterai@homepc: ssh -v -N -L 5000:localhost:5000 ubuntu@3.121.46.99

当我向 localhost：5000 在我的本地计算机上，我可以看到结果页面。请问，如果可以将这两个命令结合起来，该怎么办？ （破坏者：是的，有可能：看看答案！）

When I make a request to localhost:5000 on my local machine, I can see the result page. May I and how if it's possible to combine this two commands? (spoiler: yes, it's possible: see the answer!)

推荐答案

好，很简单。希望我的回答对您有所帮助。

Ok, it's easy. Hope my answer will help somebody.

1. 您需要使用 ssh -J 选项通过堡垒虚拟机进行连接：

1. You need to use ssh -J option to connect through your bastion virtual machine:

 -J [user@]host[:port]
         Connect to the target host by first making a ssh connection to
         the jump host and then establishing a TCP forwarding to the ulti‐
         mate destination from there.  Multiple jump hops may be specified
         separated by comma characters.  This is a shortcut to specify a
         ProxyJump configuration directive.

1. 然后您需要将来自应用程序（或数据库）启动的目标虚拟机端口（：8000 ）的流量转发到本地主机端口（：5001 ）使用 ssh -L ：

1. Then you need to forward traffic from your destination virtual machine port (:8000) where the app (or database) started to your localhost port (:5001) using ssh -L:

 -L [bind_address:]port:host:hostport
 -L [bind_address:]port:remote_socket
 -L local_socket:host:hostport
 -L local_socket:remote_socket
         Specifies that connections to the given TCP port or Unix socket
         on the local (client) host are to be forwarded to the given host
         and port, or Unix socket, on the remote side.  This works by
         allocating a socket to listen to either a TCP port on the local
         side, optionally bound to the specified bind_address, or to a
         Unix socket.  Whenever a connection is made to the local port or
         socket, the connection is forwarded over the secure channel, and
         a connection is made to either host port hostport, or the Unix
         socket remote_socket, from the remote machine.

        Port forwardings can also be specified in the configuration file.
         Only the superuser can forward privileged ports.  IPv6 addresses
         can be specified by enclosing the address in square brackets.

        By default, the local port is bound in accordance with the
         GatewayPorts setting.  However, an explicit bind_address may be
         used to bind the connection to a specific address.  The
         bind_address of "localhost" indicates that the listening port be
         bound for local use only, while an empty address or ‘*’ indicates
         that the port should be available from all interfaces.

1. 已满ssh命令如下所示：

matterai@homepc: ssh -v -N -A -J ubuntu@3.121.46.99 -L 5001:localhost:8000 ubuntu@10.0.1.112

UPD：：您还可以简化命令。在〜/ .ssh / config 中，可以添加您的Jumphost（堡垒）和最终的目标VM IP：

UPD: Also you can simplify a bit your command. In ~/.ssh/config you can add your jumphost (bastion) and your final destination VM IP:

Host bastion
        HostName 3.121.46.99
        User ubuntu
        Port 22
        IdentityFile ~/.ssh/secret.pem
        ForwardAgent yes

Host server
        HostName 10.0.1.112
        User ubuntu
        Port 22
        IdentityFile ~/.ssh/secret.pem
        ProxyJump bastion

现在，您可以运行命令：

Now, you can run command:

ssh -v -N -A -J bastion -L 80:localhost:8000 server

看起来好多了。您也可以使用 ssh服务器通过ssh进行简单连接。

Looks much better. Also you can just simply connect via ssh using ssh server.

这篇关于SSH隧道通过Ubuntu堡垒到达私有子网中的EC2实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！