Èñïîëüçîâàíèå ssh-òóíåëåé äëÿ áåçîïàñíîãî äîñòóïà ê ðåñóðñàì LAN

**al37919** · 03-02-2008, 23:01

Ýòî ñìîòðÿ êàêîå ó Âàñ ñîåäèíåíèå. Ñðåäíåñòàòèñòè÷åñêèé ADSL èñïîëüçóåò íà ïîëíóþ.
Óòî÷íÿþ. Ñêîðîñòü ïåðåäà÷è îò wl500gP ñîñòàâëÿåò ïîðÿäêà 4Ìáèò/ñ ( ïðîâåðÿëîñü ñ ïîìîùüþ SFTP ).

**ink0gnit0** · 04-02-2008, 20:16

Îòëè÷íûé ìàíóàë!! Òåìà ðàñêðûòà ïîëíîñòüþ, ìîæíî ïðèêðåïëÿòü! Äàâíî õîòåë ïîýêñïåðèìåíòèðîâàòü ñ òóííåëÿìè ñ çàâòðàøíåãî äíÿ íà÷íó! Îãðîìíîå ñïàñèáî çà òàêóþ ïîäðîáíóþ âûæèìêó!

**BlackKovu** · 05-02-2008, 08:48

Ïðèñîåäèíÿþñü - îòëè÷íîå îïèñàíèå. Ñàìîå ãëàâíîå - ïîäàíà îòëè÷íàÿ èäåÿ, äàëüøå óæå ìîæíî ñàìîñòîÿòåëüíî íà÷àòü ïðîðàáàòûâàòü.

Ñïàñèáî!

**djet** · 04-04-2008, 17:04

Åñòü âîïðîñ ïî Remote Port Forwarding.
Êëèåíò ssh ïîçâîëÿåò óêàçàòü èíòåðôåéñ íà ñåðâåðå, äëÿ êîòîðîãî îòêðûâàåòñÿ ïîðò íà ïðîñëóøêó. Îäíàêî ó ìåíÿ ïî÷åìó-òî ýòîãî íå ïðîèñõîäèò, ïðèâÿçêà èä¸ò òîëüêî íà 127.0.0.1.
Êëèåíò: Windows Vista SP1 + SUA + InteropSecShell_4.6r1, OpenSSL 0.9.8e 23 Feb 2007.
Ñåðâåð: øòàòíûé dropbear sshd v0.50 èç .10, çàïóñêàþùèéñÿ èç xinetd.
Çàäà÷à: ïðîáðîñèòü ïîðò RDP ñ ÏÊ, íàõîäÿùåãîñÿ çà íàòîì. Ïî ïðè÷èíå íåäîñòóíîñòè â äàííûé ìîìåíò ýòîãî ÏÊ òåñòèðóþ íà ñâîèõ.

Ñòðîêà çàïóñêà êëèåíòà:

ssh -R :3389:192.168.1.3:3389 192.168.1.1 -N
ssh -R \*:3389:192.168.1.3:3389 192.168.1.1 -N
ssh -R 192.168.1.1:3389:192.168.1.3:3389 192.168.1.1 -N

Âûäåðæêà èç ìàíà:

-R [bind_address:]port:host:hostport
Specifies that the given port on the remote (server) host is to
be forwarded to the given host and port on the local side. This
works by allocating a socket to listen to port on the remote
side, and whenever a connection is made to this port, the connec-
tion is forwarded over the secure channel, and a connection is
made to host port hostport from the local machine.

Port forwardings can also be specified in the configuration file.
Privileged ports can be forwarded only when logging in as root on
the remote machine. IPv6 addresses can be specified by enclosing
the address in square braces or using an alternative syntax:
[bind_address/]host/port/hostport.

By default, the listening socket on the server will be bound to
the loopback interface only. This may be overriden by specifying
a bind_address. An empty bind_address, or the address `*', indi-
cates that the remote socket should listen on all interfaces.
Specifying a remote bind_address will only succeed if the serv-
er's GatewayPorts option is enabled (see sshd_config(5)).

Ïðîáîâàë òàêæå ïðîáðîñ â SecureCRT - àíàëîãè÷íî áèíäèòñÿ ê 127.0.0.1.

**al37919** · 04-04-2008, 17:32

Òîëüêî ïî÷åìó -R? Äîëæíî áûòü -L!

PHP Code:


ssh -L 3389:192.168.1.3:3389 192.168.1.1 -N

Èëè ÿ íå ïîíÿë çàäà÷ó? C RDP ìîãó ñåáå ïðåäñòàâèòü òîëüêî îäèí âàðèàíò --- äîñòóï èçâíå ê êîìïó çà NAT.

**djet** · 04-04-2008, 18:13

Íóæíî ïðîáðîñèòü ïîðò RDP îò êëèåíòà ê ñåðâåðó, ïîýòîìó -R.

Äîïóñòèì, âàðèàíò ñ ïðèâÿçêîé íà íóæíûé èíòåðôåéñ íå ðàáîòàåò, è íóæíî ÷åðåç nat ñàìîì íà ðîóòåðå ïðîáðîñèòü ëîêàëüíî îòêðûòûé ñåðâåðîì ssh ïîðò. Äåëàþ òàê:

iptables -A INPUT -p tcp --dport 3389 -d 127.0.0.1 -j ACCEPT
iptables -t nat -A VSERVER -p tcp -m tcp --dport 3389 -j DNAT --to-destination 127.0.0.1:3389

Íî è ýòà ñõåìà íå ðàáîòàåò, ïîðò îñòà¸òñÿ íåäîñòèæèì èçâíå.

**djet** · 04-04-2008, 19:58

Êàæåòñÿ, âîïðîñ ðåø¸í ñ îïöèåé "-a Allow connections to forwarded ports from any host".
Ñòðàííî, îäíàêî, ÷òî îòêðûòûé dropbear ïîðò íå îòîáðàæàåòñÿ â netstat -na.

Thread: Èñïîëüçîâàíèå ssh-òóíåëåé äëÿ áåçîïàñíîãî äîñòóïà ê ðåñóðñàì LAN

Thread Tools

Rate This Thread

Display

Hybrid View

Similar Threads

Òåñòèðîâàíèå ñêîðîñòè ÷òåíèÿ/çàïèñè USB-HDD.

Tags for this Thread

Posting Permissions