如何使用 SSH 隧道连接到我有权访问的机器上开放但不向外界开放的端口？

Question 1

您需要使用 ssh 的绑定地址选项：

 -L [bind_address:]port:host:hostport
         Specifies that the given port on the local (client) host
         is to be forwarded to the given host and port on the
         remote side.  This works by allocating a socket to lis‐
         ten to port on the local side, optionally bound to the
         specified bind_address.  Whenever a connection is made
         to this port, the connection is forwarded over the
         secure channel, and a connection is made to host port
         hostport from the remote machine.  Port forwardings can
         also be specified in the configuration file.  IPv6
         addresses can be specified by enclosing the address in
         square brackets.  Only the superuser can forward privi‐
         leged ports.  By default, the local port is bound in
         accordance with the GatewayPorts setting.  However, an
         explicit bind_address may be used to bind the connection
         to a specific address.  The bind_address of “localhost”
         indicates that the listening port be bound for local use
         only, while an empty address or ‘*’ indicates that the
         port should be available from all interfaces.

因此，例如要将本地端口 1234 绑定到远程服务器 server.example.com 的端口 6667，您可以执行以下操作：

ssh -f -L 1234:localhost:6667 server.example.com

Answer

您需要使用 ssh 的绑定地址选项：

 -L [bind_address:]port:host:hostport
         Specifies that the given port on the local (client) host
         is to be forwarded to the given host and port on the
         remote side.  This works by allocating a socket to lis‐
         ten to port on the local side, optionally bound to the
         specified bind_address.  Whenever a connection is made
         to this port, the connection is forwarded over the
         secure channel, and a connection is made to host port
         hostport from the remote machine.  Port forwardings can
         also be specified in the configuration file.  IPv6
         addresses can be specified by enclosing the address in
         square brackets.  Only the superuser can forward privi‐
         leged ports.  By default, the local port is bound in
         accordance with the GatewayPorts setting.  However, an
         explicit bind_address may be used to bind the connection
         to a specific address.  The bind_address of “localhost”
         indicates that the listening port be bound for local use
         only, while an empty address or ‘*’ indicates that the
         port should be available from all interfaces.

因此，例如要将本地端口 1234 绑定到远程服务器 server.example.com 的端口 6667，您可以执行以下操作：

ssh -f -L 1234:localhost:6667 server.example.com

Question 2

假设 ssh 主机是公开可访问的，你可能需要查看端口敲门以下是将其应用于 SSH 的一种方法：http://www.marksanborn.net/linux/add-port-knocking-to-ssh-for-extra-security/

Answer

假设 ssh 主机是公开可访问的，你可能需要查看端口敲门以下是将其应用于 SSH 的一种方法：http://www.marksanborn.net/linux/add-port-knocking-to-ssh-for-extra-security/

Question 3

看看这里：http://dzervas.gr/notes/ssh-tunnel/ 它实际上创建了一个 socks 本地代理，其中传递的所有数据都会发送到 sshed 机器上的任意端口。

Answer

看看这里：http://dzervas.gr/notes/ssh-tunnel/ 它实际上创建了一个 socks 本地代理，其中传递的所有数据都会发送到 sshed 机器上的任意端口。

Question 4

您的问题有点奇怪，因为您问的是“如何设置远程计算机以便仅使用 ssh 从源计算机进行访问”？

或者您想问如何设置它来限制访问，只允许您的计算机进行任何操作，然后使用 ssh 连接到它。

或者您是说它已经这样设置了，您现在如何使用 SSH 连接。

无论如何，

看看这个帖子这里它提到了几种限制访问的方法，提到使用 SSH 或 iptables（防火墙）来限制访问，如果您随后想要使用 SSH 连接，那很正常。

为什么不在 /etc/host.allow 中添加：sshd：IPADDRESS，IPADRRESS

或者

/etc/ssh/sshd_config 中可能存在类似这样的内容？AllowUsers [电子邮件保护].*,1.2.3.4,5.6.7.8

[电子邮件保护].*[电子邮件保护].*

这

sshd_config 中的 AllowUsers 选项是最简单的

如果您知道用户是谁，则可以使用路由。或者，

还有同样简单的 tcp_wrappers 方法

（/etc/hosts.allow 和 /etc/hosts.deny）。

或者

设置防火墙规则可能更容易，例如 iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 --source [accepted ip address here] -j ACCEPT

Answer