using ssh tunnel to build multi-level tunnel

Posted by punzalan at 2020-02-27


brief introduction

Tunnel is a technology that encapsulates one network protocol into another. There are three ways to build tunnel by SSH: local forwarding, remote forwarding and dynamic forwarding. This time, only the first and third methods are used to build a multi-level springboard.



Local forwarding: map the local port to the port on the remote machine. The principle is to assign a port on the local machine to listen. Once the port has a connection, the data will be forwarded to the port on the remote machine through the channel. The format is:

ssh -C -f -N -L listen_port:DST_Host:DST_port user@Tunnel_Host -p Tunnel_Host_sshport

Dynamic forwarding: for local forwarding, there are two one-to-one corresponding ports, which are located at the SSH client and service side respectively; the target port of dynamic forwarding is not fixed, and its principle is that a port is allocated on the local machine to listen. Once the port has a connection, the transmitted data is determined by the initiated request to the remote machine. The format is:

ssh -C -f -N -D listen_port user@Tunnel_Host -p Tunnel_Host_sshport

Parameter Description:

Using SSH to build a multi-level springboard is to use local forwarding to map the SSH port of the remote machine to the local port, and then continue to build the mapping with the SSH port of other remote machines through the local port until the last hop using any dynamic port forwarding (to build SOCKS server).

Finally, the socks proxy tool is used locally to configure, so that the application can communicate according to the previously built tunnel as required.

Example: two level springboard, Linux system, experimental environment:

# Client A:Windows Localhost # Tunnel B:Linux ssh # Tunnel C:Linux ssh

==References====External links==* Official Journal of the European Communities

The localhost:12345)->B(>C(

ssh -Nf -C -L 12345: rootB@ -p 22

This step is to map the local 12345 port to the remote C port 55, and the communication between a and B is SSH encrypted communication.  

Second layer forwarding:

ssh(localhost:9833) -> tunnel2(localhost:12345)

ssh -Nf -C -D localhost:9833 rootC@localhost -p 12345

In this step, only the local port (9833) is bound. Although it communicates with the local 12345, the essence is to establish a dynamic forwarding relationship with C through Tunnel1. In this case, C acts as the ⻆ color of the socks proxy server.



Server configuration

Modify SSH port: modify port to the desired port in / etc / SSH / sshd? Config, check whether the value of allowtcpforwarding is yes (allow local port forwarding of remote host). If you need to bind to machine, check whether the value of gatewayports is yes. Then execute

service sshd restart

SSH IP access restrictions:

sudo vi /etc/hosts.allow sshd: sshd: sshd:192.168.1.* sudo vi /etc/hosts.deny sshd:ALL

The configuration in these two files takes effect immediately, and the native test needs to be performed in a new window.




Use tool configuration

1. Use mobaxtermto configure tunnel

Open mobaxtern, select mobasshtunnel in the network of tools, and select new SSH tunnel in the pop-up dialog box

Select local port forwarding in the port forwarding configuration window and fill in the information as prompted

Click Save to save to return to the mobashtunnel dialog box, add a new tunnel again, and select dynamic port forwarding

The example configuration results are as follows:

Turn on tunnel in turn, prompt for the corresponding password, and confirm to save the password

After all tunnel channels are enabled, click the lightning identifier at the tail of each tunnel to enable autoreconnect to ensure the disconnection is automatically reconnected. (auto SSH can also be used to automatically reconnect after disconnection)

☞ note: mobaxterm Free Edition can only use two tunnel, xshell is not limited.  

2. Use proxifier agent on this machine

Open proxifier, select profile - > proxy server - > add, and fill in the corresponding port information according to the actual situation (9833 should be used here)

Then save, pop up the rule change prompt box, and click Yes. After that, it can be used as a socks proxy for various applications, and finally access the target through C.