I'm trying to set up NoMachine NX so I can securely access my PC from the Internet. I can SSH into my PC from within the LAN and also connect to it using NX. Forwarding port 22 on my Devil-Linux router is doing something strange though.

I've edited firewall.rules in Devil-Linux to forward multiple ports for other applications, all of which works fine. Forwarding TCP port 22 using the same method results in Internet SSH requests being answered by Devil-Linux, not my LAN PC. So I can SSH into my Devil-Linux router from the Internet, but it is not forwarding the traffic to my PC.

I'm forwarding SSH in firewall.rules using:

# NoMachine NX Free Edition to Codex (TCP)
SERVER_IP=192.168.1.103 # Internal IP of server.
PORT=22 # 22 = SSH. Change to 80 for web server, etc.
${IPTABLES} -A PREROUTING -i ${OUT_DEV} -t nat -p TCP --dport $PORT -j DNAT --to ${SERVER_IP}:${PORT}
${IPTABLES} -A FORWARD -p TCP -d ${SERVER_IP} --dport $PORT -i ${OUT_DEV} -o ${INT_DEV} -j ACCEPT

Any ideas? Thanks all.

I don't understand your network setup as hardware device are in relation from the actually Internet point to final destination. But I assume you have open port 22 on the outside device and setup port forwarding on that port on that device or interface to the next point it needs to hit to continue.

Now the thing I need to ask is are you trying to connect from within the lan using the external internet wan IP? If so then it may not work if you are using a simply store bought router on the outside. These devices lack the ability to lokk back onto itself properly. So if this is the case have you gone to a remote site and tried connecting that way?

You may try using a rmote port scanning site to see if it is open on the outside like using the advanceport scanning tool here. http://www.pcflank.com/test.htm

Brian

I'm using Devil-Linux on an old PC as my router. It's connected to a cable modem on one NIC, and a 8 port switch on a second NIC. All other PCs on the LAN are on the same switch as well. I have several ports configured to forward to various PCs on the switch, which all have worked.

I have been testing SSH from inside the LAN using my external IP. I'll have to test it from outside to make sure. SSH does work, but it logs me into the router and not my own PC that the router's set to forward SSH to.

I tested only the ports I have forwarded and got the following results:

The only running programs actively listening would be SSH (22) and a P2P app (6666). I'm guessing the port scanner needs some kind of response on a port to classify it as open, even if in fact it is open regardless.

In firewall.rules in Devil-Linux there are two areas for opening ports and forwarding, both with commented-out examples:

I've only used the first example, and have nothing that uses the second example. I tried the second example for port 22, so it was open to Devil-Linux and forwarded to my PC, and had no success there either.

Is there some way I can trace network traffic to see what's happening? It's like SSH is going from Internet to router then stopping. The router logs me in rather than forwarding so my PC can log me in. Thanks for your help.

Maybe this could be it... Devil-Linux is running SSHD so I can log into it from my LAN to make configuration changes, etc. Maybe the SSHD service is taking precedence over the port forwarding rule. SSHD is like, "Oh, an SSH request, surely that's for me," and handles the request rather than forwarding the traffic.

If that's the case, then the question is how to make SSHD only handle local requests (192.168.1.x) and forward all other requests. Maybe I could use a port other than 22 for Internet requests, and reconfigure SSH on my PC to listen on a different port. What do you think? Busted, plausible, or confirmed?

You would want to change the port anyway to reduce the number of script kiddie attacks.
You could translate the port in the firewall to port 22 on the target server. You might also want to use different ports on the internet side of the router for each host on the lan that you want to access.
So port 1025 could be for the server on your lan, and port 1026 for your workstation.

Another alternative is to allow port forwarding in the sshd_config configuration. However, forwarding the traffic at the router would be easier and would be safer for the firewall.

Be sure to lock down the ssh service. Only use protocol 2, disallow root logins, use public key authentication, use "AllowUsers" to disable all system user logins.

Cool. I'm going to give that a try and will report whether or not it works to spare future generations the pain. I found some good info regarding what you're talking about here:

http://www.linux.com/articles/61061

I changed the port my router uses for SSH to one value, then changed the port my PC uses for SSH to another value. I then had the firewall rule on the router forward the second port to my PC, saved the config, and restarted both PCs.

I can still connect to the router over the Internet by specifying its port, but can't connect to my PC using the second port. Running a port scan on the two ports shows that the router SSH port is stealthed and that my PC's SSH port is open. That is the opposite of what I would have expected since the stealthed port works and the open port fails. I also can still connect to localhost on my PC using the new port, so the problem is definitely somewhere in the router config.

I admit that networking isn't my strong point, but this is getting bizarre.

What is your current port forwarding line for forwarding the external IP and port to the inside machine IP and port.

Not knowing the exact values but here is an example.
The router has an SSHD server up. Using port say 1022. You have the firewall open for port 1022.
Now to get to the other lan machine and lets say it uses 2022. Now on the router you open port 2022 and then add iptables to port forwarded to the lan IP port 2022. The lan machine you are connecting SSHD uses port 2022 and if a firewall exist on it that port 2022 is open to it.

Brian

Okay, I think I got it working. Looks like the problem is either Devil-Linux or my cable modem or ISP. I had to get my dad to try to SSH in from a different location, which produced different results than I got hitting my WAN IP from within my LAN.

Guess the only question I have left is do I need to have the following for every service I want to forward to a PC on my LAN? According to Devil-Linux, these lines open a port on the router. Perhaps this is the same as the forwarding lines, minus the forwarding?
The forwarding rules seem to work for all my stuff, none of which have this line to open the port to the router.

Thanks all.

I don't know what all you plan to do but if you have say 7 machines runing sshd and wanted internet access to them then you need to open 7 ports on the router and forward them to thier proper lan machine. Now being a linux router you can leave all lan machines sshd as port 22 then on the linux router portforward the external IP port 1022 to lan1 IP, port 22, IP port 1023 to lan2 IP, port 22, and so forth.

I myself would only open a single sshd to one machine then once in that machine connect to any lan resources you want from there. Now all one has to do is maintain up to date server daemons on two machine (the router and one lan machine).

Brian

You would find out something similar if you tried to reach your own web server on the LAN using it's canonical name. You need to connect to a device on the LAN using a local address.

Some NAT routers allow you to forward a port to a certain machine and also use a different port on the destination.

So you could configure the forwarding like:
:1024 <-> 192.168.1.100:22
:1025 <-> 192.168.1.101:22
:1026 <-> 192.168.1.102:22

In other words the destination port number could be the standard ssh port on the hosts. Only a remote client would need to change the port:
E.G.: ssh 24.24.24.24:1024