我有两台 CentOS 7 服务器(此场景中为 Hypervisor 和 Relay)。我希望使用 Relay 连接到防火墙后面的 Hypervisor 上的 VNC 端口,并且服务器已向 Hypervisor 开放 SSH。
我要求 Hypervisor 使用以下命令建立连接:
ssh -N -R 0.0.0.0:5912:127.0.0.1:5912 root@Relay
完成此操作后,我可以通过以下方式连接到 Relay 上的端口:
telnet localhost:5912
我收到回复:RFB 003.008
当我使用分配的 IP 地址进行 telnet 时:
telnet 1.2.3.4:5912
中继:连接被拒绝
请注意,IP 1.2.3.4 是 Relay NIC 的 IP,而不是某些 NAT 的 IP。
我也无法从 Relay 子网内的另一台服务器进行连接。
答案1
默认情况下,sshd 拒绝允许远程访问以此方式转发的端口。这在ssh(1)手册页中有说明。
Specifying a remote bind_address will only succeed if the
server's GatewayPorts option is enabled (see sshd_config(5)).
的文档GatewayPorts说默认情况下它是关闭的。由于它对安全敏感,所以这是一个合理的默认设置。来自sshd_config(5):
GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client. By default, sshd(8) binds remote port
forwardings to the loopback address. This prevents other remote
hosts from connecting to forwarded ports. GatewayPorts can be
used to specify that sshd should allow remote port forwardings to
bind to non-loopback addresses, thus allowing other hosts to con‐
nect. The argument may be no to force remote port forwardings to
be available to the local host only, yes to force remote port
forwardings to bind to the wildcard address, or clientspecified
to allow the client to select the address to which the forwarding
is bound. The default is no.