openssh客户端除了可以作为一个ssh登陆客户端外,还能做一些简单的端口映射,非常使用的。常见的用法有三种:
1.
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.
-D 指定一个本地端口(如果本地有多个IP的话也可以指定监听某一个IP的端口),充当socks代理的作用的。然后每当有一个到这个端口的链接时,这个链接就被转发到通过ssh隧道转发,
然后再从远程服务器上去链接目的地址。1-1024的端口只有root能转发。
ssh -D 8080 $server
然后浏览器设置代理为127.0.0.1:8080,就可以这样翻墙了。
2. -L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and aconnection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified by enclosing the address in square brackets. Only the superuser canforward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However,an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost”indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.
-L是指定一个本地端口,port。适用与比如A子网内只有某台服务器A1可以访问另外一个子网B内B1的服务器的某个端口的时候,
在A1服务器上执行 ssh -L 8080:127.0.0.1:80 $b1host
然后A子网内的其他服务器可以通过 http://A1host:8080/ 访问到B1上80端口的web页面。
ssh -L 9091:127.0.0.1:22 blog.gnuers.org
然后就可以本地浏览器打开http://127.0.0.1:9091打开我的blog。
3. -R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine. Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square braces.
By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server’s GatewayPorts option is enabled (see sshd_config(5)).
If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output.
-R 是在远程服务器上指定监听某个端口,当链接远程服务器的这个端口时,数据会转发到本地的hostport上来。
简单的说一种场景,我自己的笔记本是在一个路由器下面,如果这个时候我希望能直接从VPS上sftp链接我的个人笔记本把一些数据上传到笔记本内。
这时就可以使用-R 了。
ssh -R 9090:127.0.0.1:22 blog.gnuers.org
然后在VPS上直接 sftp -P 9090 user@127.0.0.1 就直接登陆上我的笔记本上传东西了。