Yanyg - Software Engineer

SSH反向代理

目录

家里用的互联万邦,没有可用的公网IP。有时候需要在外面想连接到家里的几台机器上, 因此用Aliyun的ECS开了一个反向代理。记录下配置。

1 在ECS上打开反向代理

/etc/ssh/sshd_config 添加一行:

GatewayPorts yes

man:

GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be no to force remote port forwardings to be available to the local host only, yes to force remote port forwardings to bind to the wildcard address, or clientspecified to allow the client to select the address to which the forwarding is bound. The default is no.

2 在家里机器上自动打开反向连接

2.1 ECS主机映射

为实现方便,把ECS拿到的IP映射为名称a:

~$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       t430
xxx.xxx.xxx.xxx a

2.2 ssh测试

手动执行命令,尝试反向连接8888:

~$ ssh -NR '*:8888:localhost:22' yanyg@a -i /home/rt/.ssh/id_rsa

-N表示不执行任何命令,-R指定remote forward IP和端口。

-N Do not execute a remote command. This is useful for just forwarding ports.

-R [bind_address:]port Specifies that connections to the given TCP port or Unix socket on the remote (server) host are to be forwarded to the local side.

This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is made to this port or Unix socket, the connection is forwarded over the secure channel, and a connection is made from the local machine to either an explicit destination specified by host port hostport, or local_socket, or, if no explicit destination was specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.

Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square brackets.

By default, TCP listening sockets on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address '*', indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output.

随便找台电脑尝试连接:

~$ ssh -p 8888 rt@a

输入密码,测试通过。

2.3 建立开机自动连接

使用systemd+autossh实现。 service文件/etc/systemd/system/autossh.service:

[Unit]
Description=Auto SSH Tunnel
After=network-online.target
[Service]
User=rt
Type=simple
ExecStart=/usr/bin/autossh -p 22 -M 8988 -CNR '*:8989:localhost:22' yanyg@a -i /home/rt/.ssh/id_rsa
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
[Install]
WantedBy=multi-user.target
WantedBy=graphical.target

Enable service:

~$ systemctl enable autossh
~$ systemctl status autossh
● autossh.service - Auto SSH Tunnel
   Loaded: loaded (/etc/systemd/system/autossh.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-08-26 23:45:41 CST; 1 weeks 2 days ago
 Main PID: 1214 (autossh)
    Tasks: 2 (limit: 4915)
   Memory: 2.4M
   CGroup: /system.slice/autossh.service
           ├─1214 /usr/lib/autossh/autossh -p 22 -M 8988 -CNR *:8989:localhost:22 yanyg@a -i /home/rt/.ssh/id_rsa
           └─8794 /usr/bin/ssh -L 8988:127.0.0.1:8988 -R 8988:127.0.0.1:8989 -p 22 -CNR *:8989:localhost:22 -i /home/rt/.ssh/id_rsa yanyg@a

另外提供一个autossh2.service,使用不同端口做备份:

yanyg@t430:~/ $ cat /etc/systemd/system/autossh2.service
[Unit]
Description=Auto SSH Tunnel2
After=network-online.target
[Service]
User=rt
Type=simple
ExecStart=/usr/bin/autossh -p 22 -M 8998 -CNR '*:8999:localhost:22' yanyg@a -i /home/rt/.ssh/id_rsa
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
[Install]
WantedBy=multi-user.target
WantedBy=graphical.target

2.4 现在只要家里开机,任何地方都可以远程过去:

yanyg@t450:~/mnt/201911-22.backup$ ssh -p 8989 rt@a
rt@a's password:
Linux t430 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Sep  4 23:48:01 2020 from ::1
rt@t430:~$ ~$