ssh reverse tunnel

ssh反向通道的可用场景之一：从外网访问内网的主机。所必须的是你需要一个有ssh登录权限的公网主机。

步骤如下（将内网主机称作A，公网ssh主机地址为hostP ）：

1.在内网A上执行

ssh -f -N -R  [remoteListenIp:]22222:localhost:22 [user@]hostP    #需要身份验证，根据你的情况：无密码、-i 秘钥文件、输入密码

其中remoteListenIp指在hostP上监听22222端口的ip，可以省略。在没有对hostP上的GatewayPorts参数进行设置时不起作用，默认只绑定到本地回环，这可能导致只能在hostP上才能访问自己的22222端口。

-f表示后台运行。N: 告诉SSH客户端，这个连接不需要执行任何命令，仅仅做端口转发。R: Reverse tunnel。

ps aux | grep ssh可以看到上述命名在后台运行，查看hostP上端口是否监听：

方式一：ssh登录hostP，执行netstat -an | grep 22222 #查看监听的地址是127.0.0.1还是0.0.0.0（全部地址）

方式二：nmap -p 22222 hostP #open或close状态

2.穿越隧道

ssh -p 22222 [user@]hostP

在没有设置GatewayPorts时应该是拒绝访问，那可以先登录hostP，再从hostP登录A

ssh [user@]hostP  ---->  ssh -p 22222 [user@]localhost

如果你想直接使用ssh -p 22222 [user@]hostP 参考3.

3.在hostP上/etc/ssh/sshd_config中添加一行GatewayPorts yes可以使得监听所有ip，显示为0.0.0.0 或者GatewayPorts clientspecified

参考man手册，ssh的-R参数、sshd_config的GatewayPorts说明：

-R
By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address.
An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address
will only succeed if the server’s GatewayPorts option is enabled (see sshd_config(5)).

GatewayPorts
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the
loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow
remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be “no” to force remote port
forwardings to be available to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to
allow the client to select the address to which the forwarding is bound. The default is “no”.