Skillfully use SSH to get through the Internet restrictions

The copy is reproduced in ： Zhihu Li Yao

link ：https://zhuanlan.zhihu.com/p/444319023

Diffuse map comes from ： Jegher

Copy format layout ： Let it go

The author encountered this scene in his work , Under the following two network restrictions , How does the head office access the branch office web The server ？

• dmz The server can access the external network server of the headquarters 22 port , No access web The server ;

• web The server cannot access the public network , But to dmz The network is unlimited .

Initial demand , Our first thought must be that the intranet port is mapped to the public network , perhaps vpn, However, it is difficult to achieve without modifying the network policy . Is there any other way , We continue to analyze the existing conditions from the perspective of pure network .

Network communication is two-way , There is a request , There is a response , It's what we call “ through ”.dmz Access to external 22 port , On behalf of request , Both communication channels of packet return are unobstructed , Can we use the packet return channel , What about the reverse access from the outside to the inside ？ The answer, of course, is yes , Let's have a try , need ssh Tools .

We are dmz Execute the following command .

[[email protected]]#  ssh -f -N -g -R  6606:10.1.1.1:80 [email protected]

-f： Running programs on behalf of the background

-N： Indicates that the remote port forwarding is used to create ssh Tunnel

-g： Monitor all the IP Address

-R, Indicates that the remote port forwarding is used to create ssh Tunnel

What does it mean to combine commands , We use root Users remotely connect to 115.100.100.100, And the remote host monitors 6606 port , When accessing this port , Will jump to dmz Of 80 port . This process will use ssh Tunnel .dmz After running , The headquarters server already has port monitoring .

[[email protected]]# netstat -tunlp | grep 6606
    tcp        0      0 127.0.0.1:6606          0.0.0.0:*               LISTEN      8616/sshd: root
     We try to reject the port prompt at the headquarters server , It means that the network has been opened up , however dmz The server is not listening 80 port , So the port is rejected .
[[email protected]]# telnet 127.0.0.1 6606
    Trying 127.0.0.1...
    telnet: connect to address 127.0.0.1: Connection refused

be modeled on , And then web Server to dmz The network is opened in reverse ,dmz Server access local 80 Port will jump to web Server's 80 port .

[[email protected]]# ssh -f -N -g -R  80:10.1.1.1:80 [email protected]

Go to the headquarters server again to test the access, and then you can communicate .

[[email protected]]# telnet 127.0.0.1 6606
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '^]'.

Finally, we review the packet forwarding process from the perspective of network .

See the following information from the headquarters server .

#dmz The server to 115.100.100.101:29493 Source , Visit local 22 port , Established tcp Connect .
[[email protected]]# ss | grep 115.
    tcp    ESTAB      0      0      172.16.1.1:22                115.100.100.101:29493
[[email protected]]# netstat -tpna | grep 115.
    tcp        0      0 172.16.1.127:22      101.230.91.53:29493     ESTABLISHED 8555/sshd: root# The local port also corresponds to the process number 8616[[email protected]]#netstat -tunlp | grep 6606
    tcp        0      0 127.0.0.1:6606          0.0.0.0:*               LISTEN      8616/sshd: root[[email protected]]# ps -ef | grep 8616
    root      8616  8555  0 Dec03 ?        00:01:04 sshd: root.

When the headquarters server accesses 127.0.0.1:6606 when , The network connection information is as follows .

 Two way channels have been established 
[[email protected]]# ss | grep 6606
    tcp    ESTAB      0      0      127.0.0.1:6606                 127.0.0.1:51158
    tcp    ESTAB      0      0      127.0.0.1:51158                127.0.0.1:6606

Finally, we use pictures to show the final network forwarding process .

dmz launch ssh Connect to the headquarters server , And remote port forwarding . When the remote server accesses the forwarding port , The data will be encapsulated into the packet back channel , because ssh Encryption itself , The external network cannot know the network interaction logic , So as to realize reverse access .