SSH 端口转发不起作用

SSH 端口转发不起作用

我有两台 CentOS 7 服务器(此场景中为 Hypervisor 和 Relay)。我希望使用 Relay 连接到防火墙后面的 Hypervisor 上的 VNC 端口,并且服务器已向 Hypervisor 开放 SSH。

我要求 Hypervisor 使用以下命令建立连接:

ssh -N -R 0.0.0.0:5912:127.0.0.1:5912 root@Relay

完成此操作后,我可以通过以下方式连接到 Relay 上的端口:

telnet localhost:5912 

我收到回复:RFB 003.008

当我使用分配的 IP 地址进行 telnet 时:

telnet 1.2.3.4:5912 

中继:连接被拒绝

请注意,IP 1.2.3.4 是 Relay NIC 的 IP,而不是某些 NAT 的 IP。

我也无法从 Relay 子网内的另一台服务器进行连接。

答案1

默认情况下,sshd 拒绝允许远程访问以此方式转发的端口。这在ssh(1)手册页中有说明。

             Specifying a remote bind_address will only succeed if the
             server's GatewayPorts option is enabled (see sshd_config(5)).

的文档GatewayPorts说默认情况下它是关闭的。由于它对安全敏感,所以这是一个合理的默认设置。来自sshd_config(5)

     GatewayPorts
             Specifies whether remote hosts are allowed to connect to ports
             forwarded for the client.  By default, sshd(8) binds remote port
             forwardings to the loopback address.  This prevents other remote
             hosts from connecting to forwarded ports.  GatewayPorts can be
             used to specify that sshd should allow remote port forwardings to
             bind to non-loopback addresses, thus allowing other hosts to con‐
             nect.  The argument may be no to force remote port forwardings to
             be available to the local host only, yes to force remote port
             forwardings to bind to the wildcard address, or clientspecified
             to allow the client to select the address to which the forwarding
             is bound.  The default is no.

相关内容