Trying to setup remote logins on small network

armedguard · 12-07-2003, 01:42 PM

Hello -
I am so thankful that these forums exist!

Yes, I guess I am a newbie.

I am trying to setup a few remote logins from my Linux box. When I say remote, I mean via the internet. I want to set it up so that the user can ssh into the machine and do some development work, etc.

My "network" is as follows:

Linux Machine --> ROUTER <--Windows Machine

Each is machine is connected to the router on ethernet cars, and the router is connected to the internet via cable DSL.

I think I have already setup ssh and the ssh daemon correctly, since I can ssh into my own box (sshd is running):

ssh localhost.locadomain

This works fine...

But I can't figure out to allow ssh from outside my little network, e.g., a user in another city using PuTTY and Exceed (or just plain old ssh from an xterm on a SunOS).

BTW, I am running a fairly obscure distro called CPUBuilders Linux, an out-of-the box OS that came bundled with the PC. It seems to work great!

Any help would be greatly appreciated...

Cheers

david_ross · 12-07-2003, 01:49 PM

Welcome to LQ.

You will need to go into your router setup and forward port 22 to the local IP address of your linux machine.

You may also need to check your firewall settings on hte linux box so they are not blocking port 22:
iptables -nL

armedguard · 12-07-2003, 02:52 PM

Thank you for the quick response.

iptables -nL produces the following output (when ran as root):

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

There does not seem to be anything there explicitly blocking port 22.

Quote:

You will need to go into your router setup and forward port 22 to the local IP address of your linux machine.

I don't have the first clue as to how to accomplish this. I am using a Linksys/Cisco router hub. I have looked through all the network settings and the system doesn't seem to know about the router - I just get an IP address assigned by the DSL modem via dhcpcd.

Besides, I would (ideally) like to be able to allow an ssh session to a named mahine, like "myuniqueserver.myuniquedomain" instead of making the user use an IP address. Is this possible, or would that make it a lot more complex?

I know, I know, lots of questions...but all the howtos and tutorials I poured through seem to explain everything excpet what I need to know.

Thanks for your help.

-armedguard

zaphodiv · 12-07-2003, 10:55 PM

Read the manual for the router

>"myuniqueserver.myuniquedomain" instead of making the user use an IP address.
You can point a domain name at your internet ip address, places like dyndns.org will give you a name for free and some software that updates the dns if you ip changes.

A DSL connection only gives you one internet ip address, if you want to have several machines behind a NAT router accessible using SSH then you are going to have to use a nonstandard port for all but one of them.

armedguard · 12-08-2003, 10:31 AM

zaphodiv,
Thanks for the tip. I did indeed read the manual for the router and the configuration is through a web browser (duh - just type in your machine address of 192.168.x.x, etc). This provided me with some good insight as to how this all works, and I am one step closer to getting this to work.

But there does not seem to be a configuration that allows me to route the address of the router through port 22, as mentioned above. As I understand it, my setup to allow ssh to my machine should be:

Internet -> router IP ->port 22->machine IP

Correct?I

Thanks for all the help!

chort · 12-08-2003, 10:48 AM

It should be in advanced under port forwarding. By the way, make sure you change the admin password to something other than the default (and make it difficult to guess!) and make sure as well that the admin server doesn't allow connections from outside your network. By default those Linksys devices are highly insecure.

PS you don't seem to have consulted your product documentation because I have one of the same devices (long since boxed up and now in my garage) and it does document where to find the advanced settings.

armedguard · 12-08-2003, 01:10 PM

It took some folling around with the router settings (which were NOT doccumented, BTW), but I think I got the router using port 22 for ssh. LinkSys has an accute shortage of documnetation and mentions nothing about Linux (only mentions Windows).

Thanks for the tip - I changed my router password and disabled external access immediately. I had no clue it was that insecure!

Here's a real newbie question:
One thing I still don't get. Let's say I wanted to access my machine via ssh through the internet, and its address was 192.168.0.100

Would I ssh to that IP or to the IP of the router (or what)? It wouldn't make sense to ssh to my machine address, since it is local, right?

Please clarify...

Thank you

david_ross · 12-09-2003, 12:27 PM

You are right - you need to ssh to the IP of your router since the servier ip is private.

colnago · 12-09-2003, 01:33 PM

dslreports.com has a lot of info on routers. If you need more help on yours in the future, they have a hardware specific forum that is very helpful. Security and firmware updates are usually posted there very quickly. There is also a port scan tool that can provide some feedback to your security level (expect to see pport 22 open, as you are forwarding this to your linux box).

armedguard · 12-10-2003, 09:53 AM

Thanks everyone for the advice.

I tried to ssh to the router IP and it refused my connection.. I then tried to telnet, and same thing. When I telnet throught port 22, it connects, but then disconnects.

I can ping the router, but that's it. To say the least, it is frustrating. I simply don't know enough about seting up these connections!

Ok, so the next step is figuring out how to make the router IP connect to my local machine IP. It seems like I need to route the IP of the router through my machine (or vice versa, using the route command).

Any suggestions?

Thanks!

colnago · 12-10-2003, 07:44 PM

Hi,

A lot of newer routers don't use telnet or ssh, you use a browser based interface. To do this, try (in your web browser address bar) http://192.168.0.1

You can look this up in the documentation for the router (online if you don't have it anymore).

armedguard · 12-10-2003, 10:25 PM

Colnago, et al:
Yes, I tried this and it works. I can use my browser to configure the router, but what I am trying to do is use the router as a gateway to ssh into my linux box, if that is at all possible...

chort · 12-10-2003, 11:34 PM

Can your Linux box access the Internet through the router? If it can, there is no problem with the route on the Linux box.

What you need to do is go into the port forwarding settings and set external port #### to forward to internal port 22 on 192.168.0.100. #### could be anything (even 22), but I don't recommend using a well known port that is likely to be scanned by nmap. Pick something above 1023 (perferably well above 1023) so it's less likely to be discovered.

armedguard · 12-11-2003, 10:26 AM

SUCCESS!!

Thanks guys for all your help.

I think I am beginning to understand the concept of IP routing now! I used the router setup utility to use the router as a gateway to my machine address:

router.ip -> 192.168.1.100, and this is tunneled through port 22. I will consider changing the port, but then this means the sshd will also have to use this port - but that is an excellent suggestion

It feels so good to actually get soemthing to work.

Cheers.