點擊上方"walkingcloud"關(guān)注，并選擇"星標"公眾號

SecureCRT遠程端口轉(zhuǎn)發(fā)

在上一篇文章【利用騰訊云主機+SSH遠程端口轉(zhuǎn)發(fā)實現(xiàn)內(nèi)網(wǎng)穿透】中使用SecureCRT進行遠程端口轉(zhuǎn)發(fā)，但是轉(zhuǎn)發(fā)到云主機(外網(wǎng))服務(wù)器后，發(fā)現(xiàn)從外網(wǎng)訪問連接轉(zhuǎn)發(fā)后的端口出現(xiàn)報錯，無法正常訪問?

通過Google搜索相關(guān)問題，最終找到了問題的根因

(圖片可放大查看)

如下圖所示

(圖片可放大查看)

內(nèi)網(wǎng)Win10 192.168.198.1

內(nèi)網(wǎng)CentOS7.6服務(wù)器 192.168.198.130 SSH端口22

云主機CentOS7.6一臺 公網(wǎng)IP X.X.X.X

需求場景：通過內(nèi)網(wǎng)win10機器SecureCRT連接上云主機的SSH，配置SecureCRT遠程端口轉(zhuǎn)發(fā)，將本地192.168.198.130 SSH端口22轉(zhuǎn)發(fā)到云主機的8622端口上

云主機SSH配置中已經(jīng)將/etc/ssh/sshd_config中GatewayPorts no改為了GatewayPorts yes

云主機安全組中也將TCP 8622端口放通

具體排查與解決步驟如下

1、問題復(fù)現(xiàn)

(圖片可放大查看)

(圖片可放大查看)

(圖片可放大查看)

(圖片可放大查看)

2、開啟SecureCRT Trace Option

可發(fā)現(xiàn)如下報錯提示

[LOCAL]?:?RECV:?CHANNEL_OPEN[forwarded-tcpip]?
[LOCAL]?:?Rejecting?remote?forward?request?from?61.X.X.X:54962?to?192.168.198.130:22?because?the?current?filters?do?not?allow?61.X.X.X:54962?to?use?the?remote?forward.?

(圖片可放大查看)

(圖片可放大查看)

3、修改會話ini文件中Reverse Forward Filter

修改前為

S:"Reverse?Forward?Filter"=allow,127.0.0.1,0?deny,0.0.0.0/0.0.0.0,0

(圖片可放大查看)

修改后為

S:"Reverse?Forward?Filter"=allow,0.0.0.0/0.0.0.0,0

(圖片可放大查看)

也就是允許所有IP訪問

4、修改完成后重新打開SecureCRT，并打開該SSH會話

這時就可以正常從外網(wǎng)訪問連接轉(zhuǎn)發(fā)后的端口，問題解決?

(圖片可放大查看)

下面是SecureCRT官網(wǎng)論壇關(guān)于Remote port forwarding filter/Reverse Forward Filter的說明

SecureCRT's?port?forwarding?"allowances"?fall?on?the?cautious?side?of?security.?This?is?the?case?for?both?local?and?remote/reverse?port?fowards,?which?ensures?security?by?default?but?also?means?it's?not?the?most?convenient?default?setting?if?your?needs?are?"special".
In?the?case?of?reverse?forwards,?SecureCRT?imposes?a?default?filter?that?rejects?any?forwards?that?don't?originate?on?the?server?side?from?the?server's?loopback?address?(127.0.0.1).?This?means?that?if?the?(server-side)?client?application?sets?the?src?addr?to?anything?other?than?127.0.0.1?(such?as?a?non-loopback?NIC?address?like?192.168.x.y),?SecureCRT?will?deny?such?forwarding?packets?received,?dropping?packets?w/o?forwarding?them?on?to?the?configured?destination?on?the?SecureCRT?side.?Such?a?denial?can?be?seen?in?debug?output?if?you?enable?Trace?Options?(SecureCRT's?main?"File"?menu)?prior?to?connecting?to?the?remote?machine.
A?denial/rejection?looks?like?this,?as?one?example,?in?Trace?Options?debug?output?(displayed?in?the?SecureCRT?terminal?window?the?moment?a?server-side?client?application?attempts?to?access?the?port?from?a?filtered?src?address/port):
[LOCAL]?:?RECV:?CHANNEL_OPEN[forwarded-tcpip]
[LOCAL]?:?Rejecting?remote?forward?request?from?192.168.232.101:1220?to?10.0.0.1:8080?because?the?current?filters?do?not?allow?192.168.232.101:1220?to?use?the?remote?forward.
To?relax?SecureCRT's?reverse?forward?filters?to?allow?access?for?more?than?just?localhost-originating?addresses?on?the?remote?side,?you'll?need?to?manually?edit?the?session's?.ini?file?appropriately?(make?sure?you?close?SecureCRT?prior?to?changing?a?session's?.ini?file?manually).Here's?the?line?in?the?session's?.ini?file?that?you'll?need?to?modify:
S:"Reverse?Forward?Filter"=allow,127.0.0.1,0?deny,0.0.0.0/0.0.0.0,0
If?you?want?to?allow?everything?through?(not?the?most?secure?choice,?but?works?if?you're?just?setting?it?up?for?a?PC?on?a?controlled?LAB?network),?do?this:
S:"Reverse?Forward?Filter"=allow,0.0.0.0/0.0.0.0,0
If?you?just?want?to?allow?everthing?on?the?192.168.x?LAN?segment,?as?well?as?any?loopback?adapter?access?to?the?forwarded?port?(denying?access?to?all?other?originating?addresses),?do?this:
S:"Reverse?Forward?Filter"=allow,192.168.0.1/255.255.0.0,0?allow,127.0.0.1/255.0.0.0,0?deny,0.0.0.0/0.0.0.0,0
This?information?is?described?in?detail?(including?ipv6?how-to)?within?the?SecureCRT?help?under?the?topic?titled,?"Configuring?Port-Forwarding?Filters"?located?within?the?"Secure?Connections"?top-level?chapter.

(圖片可放大查看)

(圖片可放大查看)

附上SecureCRT本地端口轉(zhuǎn)發(fā)與X11轉(zhuǎn)發(fā)的原理圖，未收集到遠程端口轉(zhuǎn)發(fā)的原理圖

(圖片可放大查看)

(圖片可放大查看)

總結(jié)

以上是生活随笔為你收集整理的netsh interface portproxy 转发不生效_SecureCRT远程端口转发不生效的解决方法的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。