无法使用 SSH 将动态端口转发到主机

我正在尝试从 HostC（可从外部访问互联网）通过 HostB 在 HostA 上设置 SOCKS 代理服务器。PermitTunnel yes在 HostC 上配置 /etc/ssh/sshd_config 后，我设法使用以下命令在 HostB 上连接到互联网：

HostB$ ssh -D 1080 user@HostC -N
HostB$ curl --socks5 localhost:1080 http://google.com/ // receives HTML response

但是我根本无法将HostB上的这个1080端口转发到HostA，无论是反向转发（从HostB），还是本地转发（从HostA）。

HostB$ ssh -R 1080:localhost:1080 user@HostA -N
or
HostA$ ssh -L 1080:localhost:1080 user@HostB -N

我将端口 1080 转发到 HostA 后，它开始显示在 上nmap localhost，因此此端口可供连接。HostB 也是如此。

当我尝试调用以下 curl 命令时，我总是curl: (52) Empty reply from server在这个终端上收到。

HostA$ curl --socks5 localhost:1080 http://google.com/

我使用 -N 使终端保持打开状态。一个在 HostB 上使用动态 BC 连接，另一个在 HostA 上使用本地 AB 连接。

我甚至尝试将 -vvv 添加到所有 ssh 会话，当我curl从 HostB 调用时，它会在 BC 连接终端上记录该过程，而当我curl从 HostA 调用时，它会同时记录 AB 和 BC 终端，尽管仍然收到错误。

我确保所有主机都允许 PermitTunnel、GatewayPorts 和 AllowTcpForwarding，但没有任何区别。

编辑：这是终端 1 和 2 上的 SSH 详细日志。

1号航站楼

HostB$ ssh -D 1080 user@HostC -Nv

OpenSSH_5.3p1 Debian-3ubuntu5, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 172.16.2.176 [172.16.2.176] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.7
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.16.2.176' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:310
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
[email protected]'s password: 
debug1: Authentication succeeded (password).
debug1: Local connections to LOCALHOST:1080 forwarded to remote address socks:0
debug1: Local forwarding listening on ::1 port 1080.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 1080.
debug1: channel 1: new [port listener]
debug1: Requesting tun unit 2147483647 in mode 1
debug1: sys_tun_open: tunnel mode 1 fd 6
debug1: channel 2: new [tun]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Remote: Failed to open the tunnel device.
channel 2: open failed: connect failed: open failed
debug1: channel 2: free: tun, nchannels 3

这句话channel 2: open failed: connect failed: open failed引起了我的兴趣。我找不到解决这个问题的方法，也不知道这是否是导致我无法正确连接的原因。无论如何，我仍然能够在 HostB 上使用 curl 连接到互联网。

HostB$ curl --socks5 127.0.0.1:1080 http://google.com/

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

它会记录以下内容1号航站楼：

debug1: Connection to port 1080 forwarding to socks port 0 requested.
debug1: channel 2: new [dynamic-tcpip]
debug1: channel 2: free: direct-tcpip: listening port 1080 for 142.250.219.142 port 80, connect from 127.0.0.1 port 34742, nchannels 3

继续转发到 HostA，我收到以下日志：

2 号航站楼

HostB$ ssh -R 1080:127.0.0.1:1080 root@HostA -Nv

OpenSSH_5.3p1 Debian-3ubuntu5, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.64 [192.168.1.64] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.64' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:318
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
[email protected]'s password: 
debug1: Authentication succeeded (password).
debug1: Remote connections from LOCALHOST:1080 forwarded to local address 127.0.0.1:1080
debug1: Requesting tun unit 2147483647 in mode 1
debug1: sys_tun_open: tunnel mode 1 fd 4
debug1: channel 0: new [tun]
debug1: Entering interactive session.
debug1: remote forward success for: listen 1080, connect 127.0.0.1:1080
debug1: All remote forwarding requests processed

此后，我尝试卷曲。

HostA$ curl --socks5 127.0.0.1:1080 http://google.com/

它立即在两个终端上生成以下日志：

1号航站楼

debug1: Connection to port 1080 forwarding to socks port 0 requested.
debug1: channel 2: new [dynamic-tcpip]
debug1: channel 2: free: direct-tcpip: listening port 1080 for 142.250.219.142 port 80, connect from 127.0.0.1 port 34742, nchannels 3
debug1: Connection to port 1080 forwarding to socks port 0 requested.
debug1: channel 2: new [dynamic-tcpip]

2 号航站楼

debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 1080, originator 127.0.0.1 port 36165
debug1: connect_next: host 127.0.0.1 ([127.0.0.1]:1080) in progress, fd=5
debug1: channel 1: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug1: channel 1: connected to 127.0.0.1 port 1080

此后，通常需要大约 20 秒才能收到 curl 响应，即curl: (52) Empty reply from server。

收到错误后，它还会记录以下内容：

1号航站楼 debug1: channel 2: free: dynamic-tcpip, nchannels 3

2 号航站楼 debug1: channel 1: free: 127.0.0.1, nchannels 2

编辑2：

我尝试使用HostA$ ssh -D 1080 -o ProxyCommand="ssh root@HostB nc %h %p" user@HostC -N，但也没有成功。

由于我在 HostA 上安装了旧版本的 OpenSSH，因此我无法在 ProxyCommand 上使用 Jump 选项 (-J) 或 -W。

主机A：CentOS 4/5

主机B/C：Ubuntu