选择SSH端口转发的接口

24

我有一台服务器,我们将其称为hub-server.tld,具有三个IP地址100.200.130.121、100.200.130.122和100.200.130.123。我在防火墙后面有三台不同的计算机,但是我想使用SSH将一台计算机转发到每个IP地址。例如:一台机器应在100.200.130.121的端口22上侦听SSH,二台机器应在100.200.130.122的端口上侦听SSH,依此类推,以便在所有机器上的端口上使用不同的服务。

SSH手册页-R [bind_address:]port:host:hostport列出了“我已启用网关端口”,但是当使用-R特定的IP地址时,服务器仍会在所有接口上监听该端口:

机器一:

# ssh -NR 100.200.130.121:22:localhost:22 root@hub-server.tld

hub-server.tld(侦听端口2222上的SSH):

# netstat -tan | grep LISTEN
tcp        0      0 100.200.130.121:2222        0.0.0.0:*                   LISTEN
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 :::80                       :::*                        LISTEN

有没有一种方法可以使SSH仅将特定IP地址上的连接转发到计算机一,这样我就可以同时侦听其他IP地址上的端口22,还是必须对iptables做一些事情?这是我的ssh配置中所有不是注释/默认值的行:

Port 2222
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
ClientAliveInterval 30
ClientAliveCountMax 1000000
UseDNS no
Subsystem       sftp    /usr/libexec/openssh/sftp-server
ssh  port  forwarding 
埃里克·普鲁特(Eric Pruitt)
source

Answers:

37

来自sshd_config(5)

网关端口

  Specifies whether remote hosts are allowed to connect to ports forwarded 
  for the client.  By default, sshd(8) binds remote port forwardings to the
  loopback address. This prevents other remote hosts from connecting to 
  forwarded ports.  GatewayPorts can be used to specify that sshd should 
  allow remote port forwardings to bind to non-loopback addresses, thus 
  allowing other hosts to connect.  The argument may be “no” to force remote 
  port forwardings to be available to the local host only, “yes” to force 
  remote port forwardings to bind to the wildcard address, or 
  “clientspecified” to allow the client to select the address to which the 
  forwarding is bound.  The default is “no”.

您想将此设置为clientspecified而不是yes

米高尔文
source
太棒了,谢谢你!我真的希望ssh(1)的手册页指出这clientspecified是需要的,而不仅仅是说“ enabled”:“仅在启用服务器的GatewayPorts选项的情况下,指定远程bind_address才能成功(请参见sshd_config(5))”。因此,我认为只需将其设置为即可yes
埃里克·普鲁伊特
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.