转:http://blog.csdn.net/eastonwoo/article/details/12975821
端口映射,包括本地端口映射和远程端口映射.本文介绍两种可行的办法:iptables 和 ssh.下面我们来介绍这两种方法的使用方式.
本地主机IP A:192.168.1.119
远程主机IP B:192.168.1.120
方法
1:ssh 方式:
-N 不执行远程命令. 用于转发端口. (仅限协议第二版)
-L port:host:hostport
将本地机(客户机)的某个端口转发到远端指定机器的指定端口. 工作原理是这样的, 本地机器上分配了一个 socket 侦听
port 端口, 一旦这个端口上有了连接, 该连接就经过安全通道转发出去, 同时远程主机和 host 的 hostport 端口建立连接.
可以在配置文件中指定端口的转发. 只有 root 才能转发特权端口. IPv6 地址用另一种格式说明: port/host/hostport
-R port:host:hostport
将远程主机(服务器)的某个端口转发到本地端指定机器的指定端口. 工作原理是这样的, 远程主机上分配了一个 socket 侦听
port 端口, 一旦这个端口上有了连接, 该连接就经过安全通道转向出去, 同时本地主机和 host 的 hostport 端口建立连接.
可以在配置文件中指定端口的转发. 只有用 root 登录远程主机 才能转发特权端口. IPv6 地址用另一种格式说明:
port/host/hostport
1.1: 使用-R参数:
远程映射: ssh -N -R 9876:127.0.0.1:22192.168.1.120 , 意思将远程主机port(9876)端口映射到本地主机host(192.168.1.119)的本地端口hostport(22)上面.192.168.1.120是输这个命令时访问的远程主机. 因为远程主机侦听9876端口,所以远程主机访问9876端口就相当于访问192.168.1.119的22端口了.
测试结果:
A(119):
[root:user] ssh -N -R 9876:127.0.0.1:22 192.168.1.120
root@192.168.1.120's password:
B(120):
<user:work> ssh 127.0.0.1 -p 9876
user@127.0.0.1's password:
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 19:12:53 2013 from debian.local
[user:~] ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:e4:81:9d
inet addr:192.168.1.119 Bcast:192.168.255.255 Mask:255.255.0.0 #120已经成功访问到119机器
inet6 addr: fe80::a00:27ff:fee4:819d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2527825 errors:0 dropped:0 overruns:0 frame:0
TX packets:2946303 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1142752654 (1.0 GiB) TX bytes:3537921035 (3.2 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3658 errors:0 dropped:0 overruns:0 frame:0
TX packets:3658 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:492528 (480.9 KiB) TX bytes:492528 (480.9 KiB)
[user:~]
本地映射: 同理 : ssh -N -R 9876:127.0.0.1:22127.0.0.1, 意思将远程主机port(9876)端口映射到本地主机host(192.168.1.119)的本地端口hostport(22)上面.127.0.0.1是输这个命令时访问的远程主机(实际上用的是本机IP).
测试结果:
A(119):
[root:user] ssh -N -R 9876:127.0.0.1:22 127.0.0.1
root@127.0.0.1's password:
A(120)
[user:work] ssh 127.0.0.1 -p 9876
ssh: connect to host 127.0.0.1 port 9876: Connection refused
[user:work] ssh 127.0.0.1 -p 9876
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 19:29:00 2013 from localhost
[user:~] #已经成功登陆到shell,从/work目录进入到了user的根用户目录
1.2: 使用-L参数:
远程映射: ssh -N -L 9876:192.168.1.120:22127.0.0.1, 意思将本地主机port(9876)端口映射到远程主机host(192.168.1.120)的远程端口hostport(22)上面.192.168.1.119是输这个命令时捆定的本地主机. 因为本地主机侦听9876端口,所以本地主机访问9876端口就相当于访问192.168.1.120的22端口了.
测试结果:
A(119):
[root:user] ssh -N -L 9876:192.168.1.120:22 127.0.0.1
root@127.0.0.1's password:
A(119):
[user:~] ssh 127.0.0.1 -p 9876
user@127.0.0.1's password:
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 19:45:30 2013 from debian.local
<user:~> ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:e4:81:9d
inet addr:192.168.1.120 Bcast:192.168.255.255 Mask:255.255.0.0 #119已经成功访问到120机器
inet6 addr: fe80::a00:27ff:fee4:819d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13528 errors:0 dropped:0 overruns:0 frame:0
TX packets:1731 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1304332 (1.2 MiB) TX bytes:331565 (323.7 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:774 errors:0 dropped:0 overruns:0 frame:0
TX packets:774 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:104032 (101.5 KiB) TX bytes:104032 (101.5 KiB)
<user:~>
本地映射: 同理,也就不多说了,大家可以自己尝试一下.
2:iptables 方式:
将与 9876 端口的 TCP 连接转接到本地的 22端口上。使用 DNAT (Destination Network Address Translation) 技术可以满足这一要求。
因为 iptables 在处理本地连接和远程连接的方法不同,所以需要分开处理。
2.1:远程连接
远程连接指的是由另外一台机器连接到这台机器上。这种连接的数据包在 iptables 会首先经过 PREROUTING 链,所以只需在 PREROUTING 链中作 DNAT。
# iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.119 --dport 9876 -j DNAT --to 192.168.1.120:22
2.2:本地连接
本地连接指的是在本机上,用 127.0.0.1 或者本机 IP 来访问本机的端口。本地连接的数据包不会通过网卡,而是由内核处理后直接发给本地进程。这种数据包在 iptables 中只经过 OUTPUT 链,而不会经过 PREROUTING 链。所以需要在 OUTPUT 链中进行 DNAT。除了对127.0.0.1 之外,对本机 IP (即192.168.1.119) 的访问也属于本地连接。
# iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 9876 -j DNAT --to 127.0.0.1:22
# iptables -t nat -A OUTPUT -p tcp -d 192.168.1.119 --dport 9876 -j DNAT --to 127.0.0.1:22
测试结果:
A(119):
[root:src]
[root:src] iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root:src] iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 9876 -j DNAT --to 127.0.0.1:22
[root:src] iptables -t nat -A OUTPUT -p tcp -d 192.168.1.119 --dport 9876 -j DNAT --to 127.0.0.1:22
[root:src] iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:9876 to:127.0.0.1:22
DNAT tcp -- 0.0.0.0/0 192.168.1.119 tcp dpt:9876 to:127.0.0.1:22
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root:src]
A(119):
[user:src]
[user:src] ssh 192.168.1.119 -p 9876
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 19:33:43 2013 from localhost
[user:~] 登出
Connection to 192.168.1.119 closed.
[user:src] ssh 127.0.0.1 -p 9876
Linux debian 3.2.0-3-686-pae #1 SMP Thu Jun 28 08:56:46 UTC 2012 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 20:12:54 2013 from debian.local
[user:~] 登出
Connection to 127.0.0.1 closed.
[user:src]