尝试创建 SSH 隧道
Trying to make a SSH Tunel
我在 public 子网上的 AWS 上配置了堡垒服务器。
我可以使用堡垒主机直接连接到私有子网内的 ec2 实例。
我可以连接到堡垒机,查看私有ec2 istance上的7474端口是否打开
nc -v -z -w 5 10.0.3.102 7474; echo $?
Connection to 10.0.3.102 7474 port [tcp/*] succeeded!
0
我想通过 ssh 隧道从本地主机(我的家用机器)到专用网络上的 ec2 实例。
ssh -v -C -N -L 9000:PRIVATE_MDM:7474 BASTION
但我得到:
open failed: administratively prohibited: open failed
Authenticated to 52.32.240.40 ([52.32.240.40]:22).
debug1: Local connections to LOCALHOST:9000 forwarded to remote address PRIVATE_MDM:7474
debug1: Local forwarding listening on ::1 port 9000.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 9000.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 2: new [direct-tcpip]
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 3: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
channel 3: open failed: administratively prohibited: open failed
debug1: channel 2: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42685 to 127.0.0.1 port 9000, nchannels 4
debug1: channel 3: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42686 to 127.0.0.1 port 9000, nchannels 3
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
debug1: channel 2: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42687 to 127.0.0.1 port 9000, nchannels 3
BASTION 机器禁止通过选项 AllowTcpForwarding 创建端口转发。如果你想让端口转发工作,你需要在这台机器上允许这个选项。
编辑: 现在我看到了那里的缺陷。你能添加描述你想达到什么目的吗?将未使用的本地端口转发到未使用的远程端口没有意义。您要么将远程端的现有服务转发到本地端口(然后使用 -L -- 本地端口转发),要么将本地服务转发到远程端口(然后使用 -R -- 远程转发端口)。没有这个,你就无法继续。
解决方案:示例中nc和ssh命令的区别在于直接IP地址和hostname的使用。 BASTION 无法解决导致问题的 PRIVATE_MDM。
我在 public 子网上的 AWS 上配置了堡垒服务器。 我可以使用堡垒主机直接连接到私有子网内的 ec2 实例。
我可以连接到堡垒机,查看私有ec2 istance上的7474端口是否打开
nc -v -z -w 5 10.0.3.102 7474; echo $?
Connection to 10.0.3.102 7474 port [tcp/*] succeeded!
0
我想通过 ssh 隧道从本地主机(我的家用机器)到专用网络上的 ec2 实例。
ssh -v -C -N -L 9000:PRIVATE_MDM:7474 BASTION
但我得到:
open failed: administratively prohibited: open failed
Authenticated to 52.32.240.40 ([52.32.240.40]:22).
debug1: Local connections to LOCALHOST:9000 forwarded to remote address PRIVATE_MDM:7474
debug1: Local forwarding listening on ::1 port 9000.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 9000.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 2: new [direct-tcpip]
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 3: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
channel 3: open failed: administratively prohibited: open failed
debug1: channel 2: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42685 to 127.0.0.1 port 9000, nchannels 4
debug1: channel 3: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42686 to 127.0.0.1 port 9000, nchannels 3
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
debug1: channel 2: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42687 to 127.0.0.1 port 9000, nchannels 3
BASTION 机器禁止通过选项 AllowTcpForwarding 创建端口转发。如果你想让端口转发工作,你需要在这台机器上允许这个选项。
编辑: 现在我看到了那里的缺陷。你能添加描述你想达到什么目的吗?将未使用的本地端口转发到未使用的远程端口没有意义。您要么将远程端的现有服务转发到本地端口(然后使用 -L -- 本地端口转发),要么将本地服务转发到远程端口(然后使用 -R -- 远程转发端口)。没有这个,你就无法继续。
解决方案:示例中nc和ssh命令的区别在于直接IP地址和hostname的使用。 BASTION 无法解决导致问题的 PRIVATE_MDM。