ssh 网关

We have many hosts with internal/LAN IPs like 10.0.3.* behind a gateway and the hosts with LAN IPs can connect to the Internet . We used iptables to so that users from hosts with Internet connections can to the gateway’s forwarded port to log on the internal hosts. However, there should be rules added for these hosts and the users need to connect to these non-standard (not 22) ports of the gateway that may be blocked by firewalls of their .

网关后面有许多具有内部/ LAN IP（例如10.0.3。*）的主机，具有LAN IP的主机可以连接到Internet。 我们使用iptables将以便具有Internet连接的主机中的用户可以到网关的转发端口以登录内部主机。 但是，应该为这些主机添加规则，并且用户需要连接到网关的这些非标准（非22）端口，这些端口可能会被其的防火墙阻止。

Is there any other methods to support this? We do not want VPN yet since only SSH is needed most of the time and we do not like to be too open to the Internet yet.

还有其他方法可以支持这一点吗？ 我们不想要VPN，因为大多数时候只需要SSH，而且我们不希望对Internet过于开放。

My solution is to use a SSH tunnel as the proxy to SSH to the internal hosts. This is set by the users themselves on their own side.

我的解决方案是使用SSH隧道作为SSH到内部主机的代理。 这由用户自己设置。

Assumptions and requirements:

假设和要求：

1. You, the user, are using a environment on your machine, say user.example.org .

2. You can to the gateway, say gateway.example.org, with your username. You can use other usernames, non-standard port, or forward the 22 port of gateway to an internal host/VM for security reason. We use the most simple configuration for simplicity of the introduction. 3. On the gateway or the host that you can ssh to as a proxy, is installed.

1.您（用户）正在您的计算机上使用环境，例如user.example.org。

2.您可以使用用户名以无网关，例如gateway.example.org。 出于安全原因，您可以使用其他用户名，非标准端口或将网关的22端口转发到内部主机/ VM。 为了简化介绍，我们使用最简单的配置。 3.在可以ssh作为代理的网关或主机上，安装了 。

Now, add these 2 lines to your ~/.ssh/config (make its attributes 700) on user.example.org:

现在，将这两行添加到user.example.org上的~/.ssh/config （使其属性为700）：

Host 10.0.3.*  ProxyCommand ssh -q gateway.example.org nc %h %p

Then, on user.example.org, you can directly ssh to internal hosts, such as:

然后，可以在user.example.org上直接SSH到内部主机，例如：

ssh 10.0.3.100

The SSH client will first run ssh -q gateway.example.org nc 10.0.3.100 22 which log on gateway.example.org and runs nc 10.0.3.100 22 on the gateway. The nc on the gateway will redirect all input from the SSH client on user.example.org to 10.0.3.100:22 to which the sshd daemon on 10.0.3.100 listens. That is, gateway.example.org works as the proxy for the SSH connection and the users can connect to the internal IPs “directly”.

SSH客户端将首先运行ssh -q gateway.example.org nc 10.0.3.100 22 ，后者登录gateway.example.org并在网关上运行nc 10.0.3.100 22 。 网关上的nc会将来自user.example.org上的SSH客户端的所有输入重定向到10.0.3.100上的sshd守护程序侦听的10.0.3.100:22。 也就是说，gateway.example.org充当SSH连接的代理，用户可以“直接”连接到内部IP。

翻译自:

ssh 网关