ssh firewall

jumbled · 04-09-2005, 08:52 PM

I want to ssh to a machine that is behind a firewall. I have port forwarding enabled on the firewall for port 22, and I can reach on the local network, but not from anywhere. I am sure there is an easy fix any help would be appreciated. I ssh 1**.***.***.184:192.168.0.101

macemoneta · 04-09-2005, 09:49 PM

Does your system have its own firewall that needs SSH permitted? Your ssh syntax isn't correct; you just want

ssh 1**.***.***.184

The internal address will be taken care of by the port forwarding (that is, you should have port forwarded port 22 to 192.168.0.101).

jumbled · 04-09-2005, 10:43 PM

It is an external netgear router. The port forwarding just means that the router wont block or interfer with communication on that port, but not necessarilly only send it to that device. How do you specify which address downstream of the router will get the signal.

stutterbug · 04-09-2005, 11:26 PM

I can't speak for NetGear, but for most hardware NAT routers, 'port forwarding' usually means passing on requests on specific ports to specific IPs on the LAN (compare http://en.wikipedia.org/wiki/Port_forwarding and http://en.wikipedia.org/wiki/Network...ss_translation). I have a LinkSys router and the port forwarding is in their web interface under "Applications and Gaming", though it used to be somewhere else. If your router doesn't offer that now, check to see if there is a firmware upgrade that will allow it. This does mean, though, that if you have two computers running services on the same port (BitTorrent is the most frequent example), only one of them will get the inbound traffic. It also means that if you use DHCP, you will have to reset the IP in your NetGear control interface every time the IPs change or you will have to adopt static IPs for the machines being forwarded to (which is what I do).

macemoneta · 04-09-2005, 11:27 PM

Port forwarding sends data, directed to a given port, only to a specified PC (by definition). In the Netgear router, you need to specify the IP address of the internal PC that will receive traffic directed to port 22.

You will also need to disable DHCP (if enabled), and statically assign IP addresses on your PCs. Since you can only port forward to a specific IP, DHCP is incompatible with port forwarding (since it dynamically assigns IP addressess).

The configuration specifics for accomplishing these tasks should be in the manual that came with your router.

jumbled · 04-10-2005, 04:02 AM

Thank you. I set it up so it should work, but it isn't. I have port forwarding for port 22 to that computer and I checked its ip before I left. When I get back in town I'll assign it a static ip and see if that helps. Thank you.

paul_dundee · 04-11-2005, 10:01 AM

another wise move would be to change the port number sshd listens on. Make sure it is an unused port.

If you check your /etc/ssh/sshd_config you should find a segment of code that looks like:

Code:

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment the first line, select a different port number. give your box a static ip and set your router to forward traffic on your chosen port to that ip address.

After that, you will need to restart sshd, in my distro it is

Code:

/etc/rc.d/init.d/sshd restart