| View previous topic :: View next topic |
| Author |
Message |
fourhead
l33t
Joined: 03 Sep 2003
Posts: 875
Location: Cologne, Germany
|
 Posted: Fri Apr 16, 2004 5:10 pm Post subject: sshd behind firewall |
 |
|
hi, i have a network behind a dsl router with firewall. in the network, there's a gentoo box with ip 192.168.1.16 and sshd listening. i've set the firewall in the router (longshine) to forward all traffic from outside that comes to tcp/4321 (i've also tried it with port 22, but i don't want to use the standard ssh port from outside if possible) to 192.168.1.16/22. i've also created a rule to forward all traffic from all outside ip's that come to port 4321 to be forwarded to 192.168.1.16. but, i can't ssh login into the gentoo machine. what am i doing wrong? i can ping the network on it's single ip address thats being exposed to the internet (80.132...). shouldn't it work this way? ssh is working when i ssh into 192.168.1.16 from another linux machine inside the network. can someone help me?
tom |
|
| Back to top |
|
 |
davidblewett
Apprentice
Joined: 15 Feb 2004
Posts: 274
Location: Indiana
|
| Posted: Fri Apr 16, 2004 5:27 pm Post subject: Re: sshd behind firewall |
|
|
| elektrohirn wrote: | | i've also created a rule to forward all traffic from all outside ip's that come to port 4321 to be forwarded to 192.168.1.16. |
I am just starting to learn this kind of thing, so I might be off-base here. Maybe what's happening is the router is forwarding the packets to 192.168.1.16:4321 instead of 192.168.1.16:22. Have you tried configuring your ssh server to listen on both ports? What kind of error messages do you get? Try doing ssh -v to get verbose output from the client.
_________________
No guilt in life, no fear in death
this is the power of Christ in me
From lifes first cry to final breath
Jesus commands my destiny
-- Newsboys, "In Christ Alone", "Adoration: The Worship Album" |
|
| Back to top |
|
|
jimcooncat.
n00b
Joined: 25 Mar 2004
Posts: 21
|
| Posted: Fri Apr 16, 2004 5:31 pm Post subject: |
|
|
I did much the same thing, except I have ssh on my gentoo box listen to the same port as what's incoming on the router, in your case 4321.
In /etc/ssh/sshd_config, change:
Port 22
to:
Port 4321
And rework your router to forward:
tcp/4321 to 192.168.1.16/4321
I don't think I could even get my router to forward from one external port to a different internal port. If your router has this limitation, these changes might work.
But then again, I'm a noob. YMMV.
_________________
JimCooncat
Fly-by-Night Operations Empowerment Advocate |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Fri Apr 16, 2004 5:33 pm Post subject: Re: sshd behind firewall |
|
|
| davidblewett wrote: | | elektrohirn wrote: | | i've also created a rule to forward all traffic from all outside ip's that come to port 4321 to be forwarded to 192.168.1.16. |
I am just starting to learn this kind of thing, so I might be off-base here. Maybe what's happening is the router is forwarding the packets to 192.168.1.16:4321 instead of 192.168.1.16:22. Have you tried configuring your ssh server to listen on both ports? What kind of error messages do you get? Try doing ssh -v to get verbose output from the client. |
you've got a point. To make that work, you should do some things: (transparantly) forward the packets to the right destiniation AND port (using some sort of NAT).
You also need to make sure the packets can get back the same way. Usualy the firewall takes care of that, but it's worth to check. (If it is a stateful firewall, he wil do so)
Then, make sure that your SSH daemon is accepting connections from external IP addresses. |
|
| Back to top |
|
|
fourhead
l33t
Joined: 03 Sep 2003
Posts: 875
Location: Cologne, Germany
|
| Posted: Fri Apr 16, 2004 5:43 pm Post subject: |
|
|
hi thanks for all your posts. i've configured my firewall to forward all connections from outside at port 4321 to the internal ip adress 192.168.1.16 and port 22. i've also tried a second rule for outside port 22 and i've tried ssh with -p option and both ports (4321,22) - still no luck. perhaps sshd is really configured to not allow connections from the wan? how can i change this, i didn''t find something in /etc/ssh/sshd_config  perhaps it's a problem that i'm trying to connect to the outside ip from within the network, although this should work and i've often done this with other things!
tom
oh, i forgot: ssh -v gives almost no info. it just says connecting to 80.132...:4321 (respectively 22) and thats it. it just waits and waits and waits ... |
|
| Back to top |
|
|
davidblewett
Apprentice
Joined: 15 Feb 2004
Posts: 274
Location: Indiana
|
| Posted: Fri Apr 16, 2004 5:46 pm Post subject: |
|
|
Add the -v to ssh, and post the errors. Also, check the sshd_config and try adding Port 4321 and then restart sshd.
_________________
No guilt in life, no fear in death
this is the power of Christ in me
From lifes first cry to final breath
Jesus commands my destiny
-- Newsboys, "In Christ Alone", "Adoration: The Worship Album" |
|
| Back to top |
|
|
fourhead
l33t
Joined: 03 Sep 2003
Posts: 875
Location: Cologne, Germany
|
| Posted: Fri Apr 16, 2004 5:54 pm Post subject: |
|
|
| hi, i've already created a firewall rule so that the outside port 22 is being forwarded to the inside port 22, so this should work i guess. |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Fri Apr 16, 2004 6:12 pm Post subject: |
|
|
you might also try to use a packet sniffer to find your problem: are the packets coming throug? are they replied?
so you can see what packets get where? |
|
| Back to top |
|
|
kpack
Tux's lil' helper
Joined: 29 Mar 2004
Posts: 137
|
| Posted: Fri Apr 16, 2004 6:33 pm Post subject: |
|
|
| Just to make things easier, why don't you get it working on port 22 first, then see if you can get it to forward to another port. |
|
| Back to top |
|
|
|
Networking & Security
