Linux ssh port forwarding (tunnel) settings

I have the opportunity to set the content of the subject on the Linux server, Note that it took some time. And I wrote it, hoping that it would be useful to someone.

What I wanted to do

-Install a tunnel (local: 50000) on the Linux server (Local) ・ Connect to RDS from Linux server (stepping stone) -Connect to RDS using a tunnel with a certain service (running on a Linux server (Local)) ・ Therefore, it is not for you to connect, but for the purpose of use of some service.

Each information

Local server

・ Port 50000 to RDS ssh port forwarding

Step server

Host: "999.999.999.999" Username: "fumidai" Certificate: "/etc/ssh/fumidai.pem" RDS Host: "RDS.com" Port: "3306"

The command that came to me after all

Based on each of the above information, it is as follows. 「ssh -o ServerAliveInterval=30 -f -N -L 50000:RDS.com:3306 [email protected] -i /etc/ssh/fumidai.pem」

Simple command description

Option "-o"

It seems that you can set the parameters described in ssh_config by setting the "-o" option. For example, "-o XXXXX = 30".

Option "-f -N"

Required if you want the port forwarding (tunnel) process to be in the background. It's useless if it's not two, and it's impossible if it's just "-f".

Option "-L"

Used when specifying the local port of the Local server. In the case of "-R", it looks like a remote. I haven't investigated in detail.

Option "-i"

The reference destination of the certificate.

It was hard to get to the command.

It's a basic thing, but I got confused many times because there was a place to do in the game where it came out.

Certificate permissions

ssh is authoritative. If you do not set it properly, it will not connect. Reference site: "https://note.mokuzine.net/ssh-permission-denied/"

The process falls on its own

No matter where you look at the site, if you want to put a tunnel setting in the background and delete it Find the process and kill it. However, I would like to forgive you for being dropped by yourself.

As long as you move it with "-f -N", it will move in the background. I confirmed it with the netstat command, but it is in the Listen state properly. However, it falls in about 2 hours and 15 minutes. Moreover, if you let the service communicate about 1 hour after starting the process (leaving it as Listen), Communication is not done properly, probably because I left it for a long time. It fails on the way. Well, there was no communication, so I was wondering if something was happening.

If you look closely, is it a kernel? It seems that it will be cut off if there is no communication due to the specifications or something. "Write failed: Broken pipe" at the timing when the process goes down to the terminal where the process was actually executed Was displayed.

Reference site: "https://www.riscascape.net/archives/9570"       :「https://alpha-netzilla.blogspot.com/2011/12/tcp-keepalive.html」       :「https://qiita.com/kuni-nakaji/items/c07004c7d9e5bb683bc2」

Somehow keep the process alive

There is "ServerAliveInterval" etc. in ssh, and it communicates in the specified cycle and number of times. Now you don't die on your own. Communication is possible even after about an hour (leaving it as Listen). In the setting of sshd, the setting around here does not work "0" by default.

Reference site: "https://qiita.com/ysk24ok/items/2f4ced5edf306fdd9dfb"       :「http://www.koganemaru.co.jp/cgi-bin/mroff.cgi?sect=5&cmd=&lc=1&subdir=man&dir=jpman-11.2.2%2Fman&subdir=man&man=ssh_config」       :「https://tech.sv-cat.net/entry/2018/08/21/190127」

Future tasks

However, it is not enough to start the process once. Maybe it will fall for some reason. If the stepping stone or RDS of the communication destination goes down, the process will definitely go down. Therefore, it is necessary to have a mechanism to restart the process in anticipation of an unexpected accident. I plan to monitor it with crond and turn it around. I thought about making it a service with systemd, After all, it seems to rely on the shell, so crond seems to be good.

If you have any other better means, we hope you enjoy it.

Recommended Posts

Linux ssh port forwarding (tunnel) settings
Including docker-nginx port forwarding on AWS Linux 2
UDP port forwarding
[Linux] DNS settings
[Linux] [Initial Settings] System Settings
[Linux] su, sudo settings
Linux, Windows proxy settings
About WOL port forwarding
[Linux] [Initial Settings] Getting Started
[Linux] [Initial Settings] Install & Uninstall
[Linux] [Initial Settings] [Flutter] Summary
[Linux] [Initial Settings] Backup & Recovery
Synchronizing with the server port forwarding ssh on localhost fails [Resolved]