ssh port forward to access my home machine from anywhere
Solution 1
I'll start with the raw facts :
-
You have:
A
- your FreeBSD box,B
- your router andC
- some machine with Internet access. This is how it looks like:.-----. .-----. .-----. | A | == | B | - - ( Internet ) - - | C | '-----' '-----' '-----' \_________ ________/ v `- this is your LAN
Notice how your router normally works: it allows connections from machines on your LAN to the Internet (simply speaking). So if the
A
(or any other machine on LAN) wants to access the Internet, it will be allowed (again, just talking about basic understanding and configuration) :.-----. .-----. .-----. | A | == | B | - - ( Internet ) - - | C | '-----' '-----' '-----' `-->----' `--->--->---^
And the following is not allowed by default:
.-----. .-----. .-----. | A | == | B | - - ( Internet ) - - | C | '-----' '-----' '-----' `--<----' `---<--- - - - - --<---<-----'
(That is, the router protects the machines on your LAN from being accessed from the Internet.) Notice that the router is the only part of your LAN that is seen from the Internet1).
-
Port forwarding is what allows the third schema to take place. This consists in telling the router what connection from
C
2) should go to which machine on the LAN. This is done based on port numbers - that is why it is called port forwarding. You configure that by instructing the router that all the connections coming on a given port from the Internet should go to a certain machine on LAN. Here's an example for port 22 forwarded to machineA
:.------. .-------. .-----. | A | == | B | - - ( Internet ) - - | C | | | | | '-----' '-|22|-' ',--|22|' | `--<-22---' `---<---- - - - - - --<-22---'
-
Such connections through the Internet occur based on IP addresses. So a bit more precise representation of the above example would be:
.------. .-------. .-----. | A | == | B | - - - - - ( Internet ) - - - - | C | | | | | '-----' '-|22|-' ',--|22|' | `--<-A:22--' `--<-YourIP:22 - - - - --<-YourIP:22--'
If you do not have an Internet connection with a static IP, then you'd have to somehow learn what IP is currently assigned to your router by the ISP. Otherwise,
C
will not know what IP it has to connect to in order to get to your router (and further, toA
). To solve this in an easy way, you can use a service called dynamic DNS. This would make your router periodically send information to a special DNS server that will keep track of your IP and provide you with a domain name. There are quite a few free dynamic DNS providers. Many routers come with configuration options to easily contact with those.
1) This is, again, a simplification - the actual device that is seen to the Internet is the modem - which can often be integrated with the router, but might also be a separate box.
2) or any other machine with Internet connection.
Now for what you want:
Simply allowing ssh access to your machine from the Internet is a bad idea. There are thousands of bots set up by crackers that search the Internet for machines with open SSH port. They typically "knock" on the default SSH port of as many IPs as they can and once they find an SSH daemon running somewhere, the try to gain bruteforce access to the machine. This is not only a risk of potential break-in, but also of network slow-downs while the machine is being bruteforced.
-
If you really need such access, you should at least
assure that you have strong passwords for all the user accounts,
disallow root access over SSH (you can always log in as normal user and
su
orsudo
then),change the default port on which your SSH server would run,
introduce a mechanism of disallowing numerous SSH login attempts (with icreasing time-to-wait for subsequent attempts - I don't remember how exactly this is called - I had it enabled some time ago on FreeBSD and I recall it was quite easy - try searching some FreeBSD forums etc. about securing SSH an you'll find it.)
If possible, try to run ssh daemon only when you know you will be accessing the machine in near future an turn it off afterwards
Get used to going through your system logs. If you begin noticing anything suspicious, introduce additional security mechanisms like IP tables or port knocking.
Solution 2
There are a couple of ways to accomplish this. The easiest is probably to set up what's known as a DMZ. The more secure way, however, is on your router to set up a static route on port 22 to your server's IP.
Resources:
- How is Port Forwarding Configured? (archived copy of NETGEAR page)
- How to port forward for a faster internet (current, but incomplete, copy of the above, at TechRadar)
- VPN Case Study FAQ
Solution 3
This can be done by your router. On some router this feature is called Virtual Server
See in below part of image there are two examples of port forwarding. One is of Web and another one is of SSH. In first case any request on your WAN IP i.e. the IP of your router with port 80
will be forwarded to a LAN IP ( 192.168.2.4
in this case)
With this feature you can get services running on your PC/server running in LAN from anywhere in the world i.e. those services are not limited to LAN
Related videos on Youtube
hari
Updated on September 18, 2022Comments
-
hari over 1 year
I'm coming from this question: https://superuser.com/questions/359799/how-to-make-freebsd-box-accessible-from-internet
I want to understand this whole process of
port forwarding
.I read so many things, but am failing to understand the very basic concept of port forwarding itself.
What I have:
a freebsd server sitting at my home.
netgear routerThis is what I am trying to achieve:
to be able to access freebsd server from a windows machine over internet to be able to open a webbrowser and access internet.
I also want to access this freebsd box from a ubuntu machine that I have.
It will be great if someone can please help me.
Here is the netgear router setup that I did for port forwarding.
-
hari over 12 yearsThanks. I've done the part on netgear router: I've setup portforwarding this way: service:HTTP port:80 server ip: 192.168.1.16 - here this ip is the ip of my freebsd box. What should I do next?
-
Mark D over 12 yearsSet up a test from outside your location, I personally just thether my phone to my laptop and try ssh'ing into my ip address. I'm assuming you know your external ip address. Or alternatively you could try visitng your web server.
-
hari over 12 yearsSSH does not work to my external IP. Do I need to do anything on my freebsd server?
-
jasonwryan over 12 yearsUpvoted for ascii goodness...
-
hari over 12 yearsThanks for the detailed explanation. I will digest this in a bit and comment back.
-
hari over 12 yearsI got your point completely. My question is, I've configured (right or wrong - I am not sure) my netgear router. What next do I need to do?
-
rozcietrzewiacz over 12 yearsHave a look at my edit (bottom) about external SSH access.
-
Mark D over 12 yearsCan you SSH from your internal network?
-
hari over 12 yearsYes. I can do it
-
hari over 12 yearsThanks for the information. I got what you are trying to convey. My question is, what do I need to do so that anyone (who has access) on internet can for example run browser on freebsd box. How do I setup that?
-
Mark D over 12 yearsNow things get a little tricky, you're going to have to enable logging on your router, and try ssh'ing in at the same time you need to watch the log and try to descern where things are going wrong. Try to remove as much traffic from your network as possible. It'll make troubleshooting the log much easier. Also you may want to check your BSD boxes log file to see what's going on.
-
Mark D over 12 years@hari let us continue this discussion in chat
-
rozcietrzewiacz over 12 yearsNow you ask a completely different thing. Start a new question for that!
-
hari over 12 yearsI guess, that is what I asked in my original question. :) Please look at
This is what I am trying to achieve:
-
rozcietrzewiacz over 12 yearsWell you did - but now I don't understand what you meant, if it is not about text-based browsing with links etc. (as I understood at the beginning).
-
rozcietrzewiacz over 12 years@hari let us continue this discussion in chat
-
hari over 12 yearsI am continuing my issue here: unix.stackexchange.com/questions/20086/…
-
hari over 12 yearsI am continuing my issue here: unix.stackexchange.com/questions/20086/…
-
0xSheepdog over 9 yearsI recommend www.fail2ban.org for "a mechanism of disallowing numerous SSH login attempts". There are others, too.