집에 공용 IP가 없는 PC가 있는데, 공용 IP를 사용하여 다른 서버에 역터널을 설정하고, 그 서버를 통해 집 PC에 연결하고 싶습니다. 하지만 역방향 터널을 설정한 후 내 PC에 연결할 수 없습니다. 누군가 도와줄 수 있기를 바랍니다.
다음은 서버에 대한 역방향 터널을 설정하기 위해 autossh를 사용한 프로세스입니다. 공개 IP를 123.456.78.90으로 수정합니다.
tony@tony-S340MC:~$ autossh -M 6018 -fCNR 0.0.0.0:7020:localhost:22 [email protected]
tony@tony-S340MC:~$ sudo netstat -antp | grep 6018
tcp 0 0 127.0.0.1:6018 0.0.0.0:* LISTEN 7637/ssh
tcp6 0 0 ::1:6018 :::* LISTEN 7637/ssh
tony@tony-S340MC:~$ netstat -a | grep ssh
tcp 0 0 tony-S340MC:49642 123.456.78.90:ssh ESTABLISHED
그런 다음 서버의 네트워크 상태와 공용 포트 상태는 다음과 같습니다.
[opc@srvagent1 ~]$ sudo netstat -antp | grep 7020
tcp 0 0 0.0.0.0:7020 0.0.0.0:* LISTEN 24261/sshd: opc
tcp6 0 0 :::7020 :::* LISTEN 24261/sshd: opc
[opc@srvagent1 ~]$ sudo firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 6019/tcp 7020/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
GatewayPorts서버의 은(는 ) 입니다 yes.
역방향 터널을 구축한 후 다른 컴퓨터로 연결했습니다. 그러나 연결이 불가능했습니다. 어느 부분이 잘못되었는지 전혀 모르겠습니다.
$ ssh -v -p 7020 [email protected]
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 123.456.78.90 [123.456.78.90] port 7020.
debug1: connect to address 123.456.78.90 port 7020: Connection timed out
ssh: connect to host 123.456.78.90 port 7020: Connection timed out
Edit1 : autossh 대신 ssh -vv를 사용하도록 변경했습니다. 여기에 내 PC의 출력이 있습니다.
tony@tony-S340MC:~$ ssh -vv -fCNR 0.0.0.0:7020:localhost:22 [email protected]
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 123.456.78.90 is address
debug2: ssh_connect_direct
debug1: Connecting to 123.456.78.90 [123.456.78.90] port 22.
debug1: Connection established.
debug1: identity file /home/tony/.ssh/id_rsa type 0
debug1: identity file /home/tony/.ssh/id_rsa-cert type -1
debug1: identity file /home/tony/.ssh/id_dsa type -1
debug1: identity file /home/tony/.ssh/id_dsa-cert type -1
debug1: identity file /home/tony/.ssh/id_ecdsa type -1
debug1: identity file /home/tony/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tony/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/tony/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/tony/.ssh/id_ed25519 type -1
debug1: identity file /home/tony/.ssh/id_ed25519-cert type -1
debug1: identity file /home/tony/.ssh/id_ed25519_sk type -1
debug1: identity file /home/tony/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/tony/.ssh/id_xmss type -1
debug1: identity file /home/tony/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 123.456.78.90:22 as 'opc'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: [email protected],zlib,none
debug2: compression stoc: [email protected],zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:XxJkoHSa4aJEXoL9Ir5i0lSDBM0TA6E2tx6J6LQd/BQ
debug1: Host '123.456.78.90' is known and matches the ECDSA host key.
debug1: Found key in /home/tony/.ssh/known_hosts:5
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/tony/.ssh/id_rsa RSA SHA256:IbUI2q2QVZuuRT6rvvdAHciGlzVBRZqPKdCS2EaW3Mc agent
debug1: Will attempt key: /home/tony/.ssh/id_dsa
debug1: Will attempt key: /home/tony/.ssh/id_ecdsa
debug1: Will attempt key: /home/tony/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/tony/.ssh/id_ed25519
debug1: Will attempt key: /home/tony/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/tony/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tony/.ssh/id_rsa RSA SHA256:IbUI2q2QVZuuRT6rvvdAHciGlzVBRZqPKdCS2EaW3Mc agent
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /home/tony/.ssh/id_rsa RSA SHA256:IbUI2q2QVZuuRT6rvvdAHciGlzVBRZqPKdCS2EaW3Mc agent
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
Authenticated to 123.456.78.90 ([123.456.78.90]:22).
debug1: Remote connections from 0.0.0.0:7020 forwarded to local address localhost:22
debug2: fd 3 setting TCP_NODELAY
debug1: Requesting [email protected]
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: network
tony@tony-S340MC:~$ debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: remote forward success for: listen 0.0.0.0:7020, connect localhost:22
debug1: All remote forwarding requests processed
답변1
debug1: Connecting to 123.456.78.90 [123.456.78.90] port 7020.
debug1: connect to address 123.456.78.90 port 7020: Connection timed out
ssh: connect to host 123.456.78.90 port 7020: Connection timed out
두 번째 SSH 인스턴스는 터널 수신 포트에 대한 TCP 연결을 설정할 수 없습니다. 특히 ssh호스트 123.456.78.90 포트 7020에 TCP 연결 요청을 보냈지만 응답을 받지 못했습니다.
가장 간단한 설명은 이러한 연결 요청을 차단하는 방화벽이 있다는 것입니다. 방화벽은 실행 중인 호스트에 있을 수도 있고 ssh, 호스트 123.456.78.90에 있을 수도 있고, 두 호스트 사이에 있는 라우터와 같은 일부 네트워크 장치에 있을 수도 있습니다.
이는 호스트 123.456.78.90 포트 7020이 SSH 터널의 수신 대기 포트라는 사실과는 아무런 관련이 없을 것입니다. ssh터널을 생성하는 인스턴스 에 분명히 잘못된 점은 없습니다 . 연결이 가능하다면 제대로 작동할 수도 있습니다.