ssh behind router

[kamirao]

i have been searching on the web on remote ssh for a year. every time i got a howto, it confused me even more.
so i created a diagram, here is the link:
http://kami.freehostia.com/ssh-what.jpg

the computer A wants to ssh to computer B. both computers have fedora 9. router B is a dlink adsl router having its own ssh server running on it on default port 22. so tell me in simple words (considering me a newbie ), which command on which computer i will have to give. tell me any possible mean without considering security, i badly need this

also tell if any configuration required on router B (port forward, proxy or whatsoever)

[danielsmw]

Yeah, I have to do this with my server at home which is behind a router. If you want to get to computer B, then you need to go into router B's settings and forward port 22 to 192.168.1.5. Then, from computer A, you should only have to type:

Code:

ssh username@203.124.97.58

When your router starts receiving the ssh connection, it will "patch it through" to port 22 (the default ssh port) on computer B.

Make sure that computer B is running an ssh server, btw.

[Freston]

Yeah, as danielsmw points out, all you need is to forward port 22 in your router towards computer B.

In the configuration screen of the router
- port forwarding [enabled]
forward 22 to 192.168.x.xx (or whatever your computer has assigned as internal IP)


Now from outside:
ssh -l username 77.38.1.231 (yeah that IP is just an example, it's your external IP address)

That's all there is to it. One of the confusing things about ssh is that it accepts multiple types of syntax, as you can see danielsmw and I use different syntax.




Now the first thing you will want to do is disable root logins on the ssh server.

Code:

vim /etc/ssh/sshd_config
# Add or uncomment this line:
PermitRootLogin no

You can always su or sudo to root on the server, just not login as such. Do this, because it's the first line of defense. The root account will be frequently attacked, as I know from experience. The attackers are 'just' bots and scriptkiddies, so you are far from defenseless.

Once you are more comfertable that it works, I reallt do recommend moving the ssh port to some non-default and high number. That is not a security measure, but it keeps the logs a lot cleaner, as bots and scriptkiddies tend not to scan outside the normal range of ports.

And have fun with it! ssh is very useful

[kamirao]

i tried port forwarding but no success... this is my router iptables output:

Chain FORWARD (policy ACCEPT)
ACCEPT udp -- anywhere 192.168.1.5 udp dpt:ssh
ACCEPT tcp -- anywhere 192.168.1.5 tcp dpt:ssh

Btw, i am testing ssh connection on the same computer by giving my external IP. does it matter?

[glaston]

You might consider using a dedicated DMZ server behind your router to allow access to services that you want available externally without having to specifically define them via port forwarding/triggering.

[kamirao]

i checked DMZ but its not working. i forwarded both tcp and udp on port 22222 of my router to my computer and configured my sshd to listen on port 22222 but no luck! i disabled UPnP but no success.
when i nmap to my router for port 22222 it says port is closed. is there any other way to check whether the problem is in router or my computer's sshd. any suggestion for sshd_config?
my router is DLink ADSL 2640-T, is there anyone who successfully forwarded ssh connections using this router?

[kamirao]

can i use -R option with ssh to create a tunnel and forget about router's configuration? if yes, how?

[rcgreen]

Btw, i am testing ssh connection on the same computer by giving my external IP. does it matter?

Depends on the router. The only reliable way to test is
from outside your network. Also, if the router is running
an ssh server exposed to the outside, you will get this server
when you ssh to your external IP address, instead of the one
on the computer.

[kamirao]

finally got it done! port forwarding was working correctly. the only problem was that i was testing it from the same computer. now i've tested outside the network and it works...