我有一台服务器,我们将其称为 hub-server.tld,它有三个 IP 地址:100.200.130.121、100.200.130.122 和 100.200.130.123。我有三台不同的机器,它们位于防火墙后面,但我想使用 SSH 将一台机器的端口转发到每个 IP 地址。例如:machine-one 应该在 100.200.130.121 上的端口 22 上侦听 SSH,而 machine-two 应该在 100.200.130.122 上执行相同操作,依此类推,所有机器上的不同服务端口可能相同。
SSH 手册页-R [bind_address:]port:host:hostport列出了我已启用网关端口,但是当使用-R特定 IP 地址时,服务器仍然在所有接口上监听端口:
机器一:
# ssh -NR 100.200.130.121:22:localhost:22 [email protected]
hub-server.tld(在端口 2222 上监听 SSH):
# netstat -tan | grep LISTEN
tcp 0 0 100.200.130.121:2222 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
有没有办法让 SSH 只将特定 IP 地址上的连接转发到机器一,以便我可以同时监听其他 IP 地址上的端口 22,还是我必须对 iptables 进行一些操作?以下是我的 ssh 配置中所有非注释/默认的行:
Port 2222
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
ClientAliveInterval 30
ClientAliveCountMax 1000000
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
答案1
从sshd_config(5):
网关端口
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be “no” to force remote port forwardings to be available to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the address to which the forwarding is bound. The default is “no”.
您想将其设置为clientspecified而不是yes。