Using FRP for Intranet Penetration and Flexible Port Mapping – A Practical Guide

The author describes the pain points of using limited and costly intranet penetration products and shares a custom SSH port‑mapping script to expose additional ports.

路径：.ssh/config
Host xzll_suzhuji
    HostName 97xcxxxxx.mmcp.fun
    User root
    Port 44170
    ControlMaster auto
    ControlPath ~/.ssh/control-%r@%h:%p
    ControlPersist yes
    ServerAliveInterval 60
    ServerAliveCountMax 3

#!/bin/bash
# 检测是否存在已有的 ssh 进程
echo "正在检查是否存在 SSH 进程..."
SSH_PID=$(pgrep -f "ssh -fN")
if [ -n "$SSH_PID" ]; then
    echo "检测到 SSH 进程 (PID: $SSH_PID)，正在终止..."
    kill -9 $SSH_PID
    echo "SSH 进程已终止。"
else
    echo "没有检测到现有的 SSH 进程。"
fi
# 创建主连接
echo "正在创建主连接..."
ssh -fN xzll_suzhuji
if [ $? -eq 0 ]; then
    echo "主连接已创建成功。"
else
    echo "主连接创建失败！"
    exit 1
fi
# 定义目标主机 IP 地址常量
TARGET_HOST_134="192.168.122.139" # 对应vm04
TARGET_HOST_136=192.168.122.136 # 对应vm06
TARGET_HOST_137=192.168.122.137 # 对应vm07
TARGET_HOST_138=192.168.122.138 # 对应vm08
# 定义隧道信息（名称和端口）
tunnels=(
    "Redis 哨兵隧道 (26379):26379:${TARGET_HOST_136}:26379"
    "Redis 哨兵隧道 (36379):36379:${TARGET_HOST_137}:36379"
    "Redis 哨兵隧道 (46379):46379:${TARGET_HOST_138}:46379"
    "Redis 隧道 (6379):6379:${TARGET_HOST_136}:6379"
    "Redis 隧道 (6380):6380:${TARGET_HOST_137}:6380"
    "Redis 隧道 (6381):6381:${TARGET_HOST_138}:6381"
    "宝塔 隧道 (14270):18888:localhost:14270"
    "Jenkins 隧道 (18079):18079:${TARGET_HOST_136}:8079"
    "IM 长连接 隧道 (10001):10001:${TARGET_HOST_136}:10001"
    "MySQL 隧道 (13306):13306:${TARGET_HOST_136}:3306"
    "CK http 隧道 (18123):18123:${TARGET_HOST_136}:8123"
    "CK tcp 端口 隧道 (19000):19000:${TARGET_HOST_136}:9000"
    "nacos 隧道 (18848):18848:${TARGET_HOST_136}:8848"
    "zk server 隧道 (12181):12181:${TARGET_HOST_136}:2181"
    "rocketmq 控制台 隧道 (18080):18080:${TARGET_HOST_136}:8080"
    "rocketmq server 隧道 (19876):19876:${TARGET_HOST_136}:9876"
    "rocketmq broker 隧道 (10909):10909:${TARGET_HOST_136}:10909"
    "rocketmq broker 隧道 (10911):10911:${TARGET_HOST_136}:10911"
    "MySQL 隧道 (23306):23306:${TARGET_HOST_137}:3306"
    "CK http 隧道 (28123):28123:${TARGET_HOST_137}:8123"
    "CK tcp 端口 隧道 (29000):29000:${TARGET_HOST_137}:9000"
    "elasticsearch 隧道 (29200):29200:${TARGET_HOST_137}:9200"
    "zk server 隧道 (22181):22181:${TARGET_HOST_137}:2181"
    "zk server 隧道 (32181):32181:${TARGET_HOST_138}:2181"
    "elasticsearch 隧道 (39200):39200:${TARGET_HOST_138}:9200"
    "kabana 隧道 (35601):35601:${TARGET_HOST_138}:5601"
)
for tunnel_info in "${tunnels[@]}"; do
    tunnel_name="${tunnel_info%%:*}"
    tunnel="${tunnel_info#*:}"
    echo "正在打开 ${tunnel_name}..."
    ssh -fN -L $tunnel xzll_suzhuji
    if [ $? -eq 0 ]; then
        echo "${tunnel_name} 已成功打开。"
        lsof -iTCP:$(echo $tunnel | cut -d':' -f1) -sTCP:LISTEN
    else
        echo "${tunnel_name} 打开失败！"
    fi
    echo ""
done
echo "所有隧道已成功打开。"

FRP (Fast Reverse Proxy) is introduced as a high‑performance reverse‑proxy solution for exposing internal services to the public internet. Its components— frps (server) and frpc (client)—are explained along with core features such as multi‑protocol support, load balancing, and access control.

The deployment steps are outlined: a public Huawei Cloud server runs frps , while four internal machines (one physical and three VMs) run frpc . Configuration files frps.ini and frpc.ini are provided, showing how to map ports for services like Redis, MySQL, RocketMQ, Jenkins, and SSH.

# vm06的frpc.ini配置：
[common]
server_addr = x.x.x.x
server_port = 7000

[vm06_rocketmq_console]
type = tcp
local_ip = 127.0.0.1
local_port = 8080
remote_port = 8080

[vm06_im长连接]
type = tcp
local_ip = 127.0.0.1
local_port = 10001
remote_port = 10001

[vm06_nacos]
type = tcp
local_ip = 127.0.0.1
local_port = 8848
remote_port = 8848

[vm06_redis]
type = tcp
local_ip = 127.0.0.1
local_port = 6379
remote_port = 6379

[vm06_zookeeper]
type = tcp
local_ip = 127.0.0.1
local_port = 2181
remote_port = 2181

[vm06_redis-sentinel]
type = tcp
local_ip = 127.0.0.1
local_port = 26379
remote_port = 26379

[vm06_mysql]
type = tcp
local_ip = 127.0.0.1
local_port = 3306
remote_port = 13306

[vm06_ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 2226

[vm06_jenkins]
type = tcp
local_ip = 127.0.0.1
local_port = 8079
remote_port = 8079

[vm06_flink_ui]
type = tcp
local_ip = 127.0.0.1
local_port = 8078
remote_port = 8078

Both services can be started directly with ./frps -c frps.ini and ./frpc -c frpc.ini , but the author recommends managing them via systemd for automatic start‑up. Sample unit files for frps.service and frpc.service are shown.

[Unit]
Description=FRP server Service
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=/home/frp/frp_0.61.0_linux_amd64
ExecStart=/home/frp/frp_0.61.0_linux_amd64/frps -c /home/frp/frp_0.61.0_linux_amd64/frps.ini
Restart=on-failure
RestartSec=5s
StandardOutput=append:/home/frp/frps.log
StandardError=append:/home/frp/frps_error.log

[Install]
WantedBy=multi-user.target

[Unit]
Description=FRP Client Service
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=/home/hzz/frp/frp_0.61.0_linux_amd64
ExecStart=/home/hzz/frp/frp_0.61.0_linux_amd64/frpc -c /home/hzz/frp/frp_0.61.0_linux_amd64/frpc.ini
Restart=on-failure
RestartSec=5s
StandardOutput=append:/home/hzz/frp/frpc.log
StandardError=append:/home/hzz/frp/frpc_error.log

[Install]
WantedBy=multi-user.target

After reloading systemd and enabling the services, the author demonstrates checking their status and viewing the FRP web dashboard, which displays active tunnel mappings. A quick test of an exposed service confirms successful port forwarding.

In conclusion, the author finds FRP to be a flexible, free solution for exposing any required internal ports, simplifying network penetration tasks.