我在公共子网上的AWS上配置了堡垒服务器。 我可以使用堡垒主机直接ssh到私有子网内的ec2实例。
我可以连接到堡垒主机并检查私人ec2的7474端口是否已打开。
nc -v -z -w 5 10.0.3.102 7474; echo $?
Connection to 10.0.3.102 7474 port [tcp/*] succeeded!
0
我想将ssh隧道从localhost(我的家庭计算机)转移到私有网络上的ec2实例。
ssh -v -C -N -L 9000:PRIVATE_MDM:7474 BASTION
但我得到了:
打开失败:管理上禁止:打开失败
Authenticated to 52.32.240.40 ([52.32.240.40]:22).
debug1: Local connections to LOCALHOST:9000 forwarded to remote address PRIVATE_MDM:7474
debug1: Local forwarding listening on ::1 port 9000.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 9000.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 2: new [direct-tcpip]
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 3: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
channel 3: open failed: administratively prohibited: open failed
debug1: channel 2: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42685 to 127.0.0.1 port 9000, nchannels 4
debug1: channel 3: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42686 to 127.0.0.1 port 9000, nchannels 3
debug1: Connection to port 9000 forwarding to PRIVATE_MDM port 7474 requested.
debug1: channel 2: new [direct-tcpip]
channel 2: open failed: administratively prohibited: open failed
debug1: channel 2: free: direct-tcpip: listening port 9000 for PRIVATE_MDM port 7474, connect from 127.0.0.1 port 42687 to 127.0.0.1 port 9000, nchannels 3
答案 0 :(得分:2)
BASTION机器已被禁止通过选项AllowTcpForwarding创建端口转发。如果要使端口转发工作,则需要在此计算机上允许此选项。
编辑:现在我看到了那里的漏洞。你可以添加描述你想要实现的目标吗?将未使用的本地端口转发到未使用的远程端口没有意义。您可以将远程端的现有服务转发到本地端口(然后使用-L - 本地端口转发),反之亦然,将本地服务转发到远程端口(然后使用-R - 远程转发端口)。没有这个,你就无法继续前进。
解决方案:示例中nc和ssh命令之间的区别在于使用直接IP地址和hostname。 BASTION无法解决导致问题的PRIVATE_MDM。