LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-21-2013, 08:00 PM   #1
MostViktorious
LQ Newbie
 
Registered: Oct 2010
Location: Toronto, Canada
Distribution: Arch Linux
Posts: 25

Rep: Reputation: 1
Question Can connect to SSH through router remotely, yet not within network.


My goal was to set-up an SSH server on my laptop that I can access remotely. I figured out how to easily forward ports (simply use the router website interface) but no matter what, nmap scans continually revealed that port 22 (which was forwarded from on the router) wasn't open when scanning my router ip, 192.168.2.1.

I reset my router, did everything, couldn't connect. I tried SSHing from multiple devices and it still didn't work. However, if I do an online port scan, ie using a website like canyouseeme.org, then it shows port 22 IS open. This was extremely strange. But I figured out that if I use an online web-based ssh client, I can ssh "remotely" into my computer from the web and that port forwarding indeed works. Yet, why cannot I also ssh from within my network using an internet ip address as my router?
 
Old 03-21-2013, 08:53 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 11,763

Rep: Reputation: 719Reputation: 719Reputation: 719Reputation: 719Reputation: 719Reputation: 719Reputation: 719
You should be able to ssh using your WAN IP address from within you network as well a ssh to the server's LAN IP address from any computer on your LAN. You can not use the router's LAN IP address i.e 192.168.2.1.
 
Old 03-21-2013, 10:17 PM   #3
MostViktorious
LQ Newbie
 
Registered: Oct 2010
Location: Toronto, Canada
Distribution: Arch Linux
Posts: 25

Original Poster
Rep: Reputation: 1
I tried using the router's WAN address on my nmap scan and to connect, but it did not work. The same thing with the LAN. I could only connect with the router's WAN address outside of my network.
 
Old 03-22-2013, 02:16 PM   #4
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,603

Rep: Reputation: 940Reputation: 940Reputation: 940Reputation: 940Reputation: 940Reputation: 940Reputation: 940Reputation: 940
Port forwarding only works when coming in through the WAN port. You can't ssh into the routers LAN IP and expect it to forward you properly. As for why it won't work when SSHing to your router's public WAN IP from within your network...my guess is your modem or ISP is blocking loopback connections.
 
1 members found this post helpful.
Old 03-22-2013, 07:24 PM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Are you forwarding port 22 to your laptop's LAN IP address or changing the port used as well?

You should be able to do both for the WAN interface. Using a port over 1024 on the WAN side and forwarding it to your laptop's IP address on port 22 will greatly reduce the number of script kiddie brute force attacks.

On the LAN, access ssh using your laptop's LAN IP address instead.

For many routers, you can use the hostname instead of the ip address. You may need to fix the IP address to your laptop's MAC address in the router's config for this to work.
 
Old 03-25-2013, 12:42 PM   #6
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
Quote:
Originally Posted by suicidaleggroll View Post
Port forwarding only works when coming in through the WAN port. You can't ssh into the routers LAN IP and expect it to forward you properly. As for why it won't work when SSHing to your router's public WAN IP from within your network...my guess is your modem or ISP is blocking loopback connections.
It depends where the router's software checks a packet to see if it matches the forwarding criteria. If the criteria does not specify a destination IP address, and it's test is placed at a point where packets in both directions go through (usually pre-routing), then one forward entry can apply to all IPs.

Usually, small routers just handle port forwarding by using a permanent NAT entry. And they often only support NAT for the WAN. On a major enterprise firewall device, I had to put forwarding entries in twice for each port I wanted to go to in order to allow this from both outside users on the internet and inside users on our LANs.
 
Old 03-25-2013, 12:55 PM   #7
suicidaleggroll
Senior Member
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 2,603

Rep: Reputation: 940Reputation: 940Reputation: 940Reputation: 940Reputation: 940Reputation: 940Reputation: 940Reputation: 940
Quote:
Originally Posted by Skaperen View Post
It depends where the router's software checks a packet to see if it matches the forwarding criteria. If the criteria does not specify a destination IP address, and it's test is placed at a point where packets in both directions go through (usually pre-routing), then one forward entry can apply to all IPs.

Usually, small routers just handle port forwarding by using a permanent NAT entry. And they often only support NAT for the WAN. On a major enterprise firewall device, I had to put forwarding entries in twice for each port I wanted to go to in order to allow this from both outside users on the internet and inside users on our LANs.
Thanks for the clarification. The vast majority of my experience is with the small home routers you refer to in your post.
 
Old 03-25-2013, 02:28 PM   #8
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
Quote:
Originally Posted by suicidaleggroll View Post
Thanks for the clarification. The vast majority of my experience is with the small home routers you refer to in your post.
The same basics apply to enterprise and SOHO routers. But the latter may lack a lot of the extra features to minimize the firmware space, get you to buy a higher priced model, etc. These would be features less needed or used in the SOHO enviroment, such as making a local server look like it's all part of the internet to office staff, so they can just use the common hostname instead of a special internal one.
 
Old 03-26-2013, 06:07 PM   #9
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,440

Rep: Reputation: 435Reputation: 435Reputation: 435Reputation: 435Reputation: 435
in short you are testing the wrong side of your router. nmap via your LAN to your router will show NOTHING as your router is not capable of receiving a ssh connection. it is setup to accept HTTP/HTTPS and maybe a COM port connection, but that is highly unlikely unless this is either very old or a high end router.

internally if you can not
Code:
ssh user_name_of_laptop@LAN_IP_of_laptop
then you need to properly configure the laptop and its firewall software. As you have not provided us with the ditro you are running we have no way of directing you on this line of troubleshooting.

If you are able to ssh into the laptop via your LAN as i instructed above then as long as your laptop is set to either a static IP on your LAN, or you configure the DHCP to always assign your laptops MAC address for its NIC then your port forwarding is worthless. Every time the laptops IP changes your port forwarding will break.

1. Verify that you are issuing the correct ssh command to gain access to the laptop via your LAN.

2. If you are unable to connect, start with the laptop and troubleshoot in the connection issue.
2a. verify that sshd is running and properly configured to accept connecitons.
2b. verify that the firewall (iptables, ip6tables, firewalld, whatever) is configured to allow ssh connections.

3. Configure your laptop to either run a static IP while at home, remembering to set it back to DHCP while on the road, or configure your DHCP server to always assign the same IP to your laptop.

4. Verify that you can ssh into your WAN IP after all the above is resolved and functioning 100%.

5. Consider either investing in a static IP from your ISP, or try to find a DDNS service that you can either run via your laptop or your router. If you can run one from your router that would be best.

Before we can really help we need more information about the distro you are running on your laptop and how it is configured.
 
  


Reply

Tags
port forwarding, ssh access


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to setup IP phone with OpenVPN to connect remotely to an internal network shayno90 Linux - Networking 5 11-23-2011 07:03 PM
[SOLVED] SSH server problem. Can connect remotely but not locally Awesome Linux - Server 11 06-16-2011 02:27 AM
New ISP / modem... Unable to connect to ssh server (or ping) remotely Lyle Linux - Networking 6 03-07-2011 01:04 PM
ssh to 2 PCs on my network remotely? ncsuapex Linux - Networking 5 05-16-2006 02:06 PM
difficulty using ssh to connect to X11 remotely shortname Linux - Networking 6 03-05-2005 12:53 PM


All times are GMT -5. The time now is 01:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration