netsh interface portproxy 转发不生效_SecureCRT远程端口转发不生效的解决方法
生活随笔
收集整理的這篇文章主要介紹了
netsh interface portproxy 转发不生效_SecureCRT远程端口转发不生效的解决方法
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
點擊上方"walkingcloud"關注,并選擇"星標"公眾號
SecureCRT遠程端口轉發
在上一篇文章【利用騰訊云主機+SSH遠程端口轉發實現內網穿透】中使用SecureCRT進行遠程端口轉發,但是轉發到云主機(外網)服務器后,發現從外網訪問連接轉發后的端口出現報錯,無法正常訪問?
通過Google搜索相關問題,最終找到了問題的根因
(圖片可放大查看)
如下圖所示
(圖片可放大查看)
需求場景:通過內網win10機器SecureCRT連接上云主機的SSH,配置SecureCRT遠程端口轉發,將本地192.168.198.130 SSH端口22轉發到云主機的8622端口上
具體排查與解決步驟如下
1、問題復現
(圖片可放大查看)
(圖片可放大查看)
(圖片可放大查看)
(圖片可放大查看)
2、開啟SecureCRT Trace Option
可發現如下報錯提示
[LOCAL]?:?RECV:?CHANNEL_OPEN[forwarded-tcpip]?[LOCAL]?:?Rejecting?remote?forward?request?from?61.X.X.X:54962?to?192.168.198.130:22?because?the?current?filters?do?not?allow?61.X.X.X:54962?to?use?the?remote?forward.?
(圖片可放大查看)
(圖片可放大查看)
3、修改會話ini文件中Reverse Forward Filter
修改前為
S:"Reverse?Forward?Filter"=allow,127.0.0.1,0?deny,0.0.0.0/0.0.0.0,0(圖片可放大查看)
修改后為
S:"Reverse?Forward?Filter"=allow,0.0.0.0/0.0.0.0,0(圖片可放大查看)
也就是允許所有IP訪問
4、修改完成后重新打開SecureCRT,并打開該SSH會話
這時就可以正常從外網訪問連接轉發后的端口,問題解決?
(圖片可放大查看)
下面是SecureCRT官網論壇關于Remote port forwarding filter/Reverse Forward Filter的說明
SecureCRT's?port?forwarding?"allowances"?fall?on?the?cautious?side?of?security.?This?is?the?case?for?both?local?and?remote/reverse?port?fowards,?which?ensures?security?by?default?but?also?means?it's?not?the?most?convenient?default?setting?if?your?needs?are?"special".In?the?case?of?reverse?forwards,?SecureCRT?imposes?a?default?filter?that?rejects?any?forwards?that?don't?originate?on?the?server?side?from?the?server's?loopback?address?(127.0.0.1).?This?means?that?if?the?(server-side)?client?application?sets?the?src?addr?to?anything?other?than?127.0.0.1?(such?as?a?non-loopback?NIC?address?like?192.168.x.y),?SecureCRT?will?deny?such?forwarding?packets?received,?dropping?packets?w/o?forwarding?them?on?to?the?configured?destination?on?the?SecureCRT?side.?Such?a?denial?can?be?seen?in?debug?output?if?you?enable?Trace?Options?(SecureCRT's?main?"File"?menu)?prior?to?connecting?to?the?remote?machine.
A?denial/rejection?looks?like?this,?as?one?example,?in?Trace?Options?debug?output?(displayed?in?the?SecureCRT?terminal?window?the?moment?a?server-side?client?application?attempts?to?access?the?port?from?a?filtered?src?address/port):
[LOCAL]?:?RECV:?CHANNEL_OPEN[forwarded-tcpip]
[LOCAL]?:?Rejecting?remote?forward?request?from?192.168.232.101:1220?to?10.0.0.1:8080?because?the?current?filters?do?not?allow?192.168.232.101:1220?to?use?the?remote?forward.
To?relax?SecureCRT's?reverse?forward?filters?to?allow?access?for?more?than?just?localhost-originating?addresses?on?the?remote?side,?you'll?need?to?manually?edit?the?session's?.ini?file?appropriately?(make?sure?you?close?SecureCRT?prior?to?changing?a?session's?.ini?file?manually).Here's?the?line?in?the?session's?.ini?file?that?you'll?need?to?modify:
S:"Reverse?Forward?Filter"=allow,127.0.0.1,0?deny,0.0.0.0/0.0.0.0,0
If?you?want?to?allow?everything?through?(not?the?most?secure?choice,?but?works?if?you're?just?setting?it?up?for?a?PC?on?a?controlled?LAB?network),?do?this:
S:"Reverse?Forward?Filter"=allow,0.0.0.0/0.0.0.0,0
If?you?just?want?to?allow?everthing?on?the?192.168.x?LAN?segment,?as?well?as?any?loopback?adapter?access?to?the?forwarded?port?(denying?access?to?all?other?originating?addresses),?do?this:
S:"Reverse?Forward?Filter"=allow,192.168.0.1/255.255.0.0,0?allow,127.0.0.1/255.0.0.0,0?deny,0.0.0.0/0.0.0.0,0
This?information?is?described?in?detail?(including?ipv6?how-to)?within?the?SecureCRT?help?under?the?topic?titled,?"Configuring?Port-Forwarding?Filters"?located?within?the?"Secure?Connections"?top-level?chapter.
(圖片可放大查看)
(圖片可放大查看)
附上SecureCRT本地端口轉發與X11轉發的原理圖,未收集到遠程端口轉發的原理圖
(圖片可放大查看)
(圖片可放大查看)
總結
以上是生活随笔為你收集整理的netsh interface portproxy 转发不生效_SecureCRT远程端口转发不生效的解决方法的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: CTF必备技能丨Linux Pwn入门教
- 下一篇: 基金怎么算收益