Find the answer to your Linux question:
Results 1 to 5 of 5
Hi, I have two different networks, A and B and need to be able to connect from A to B over the open internet. A is behind a firewall, B ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2011
    Posts
    2

    running sshd on a differnet port


    Hi,

    I have two different networks, A and B and need to be able to connect from A to B over the open internet.

    A is behind a firewall, B is behind a different firewall.

    In my first attempt I configured the router at B to forward port 22 to a particular machine running sshd on port 22. I was then able to ssh from A to the machine on B.

    Recently I have noticed an increased level of traffic hitting port 22 on the B router, so I decided to move the ssh service to a different, random port.

    I reconfigured the router and sshd, and was able to ssh from the open internet to B, but I could not ssh from firewalled network A to B. The log from the router at B shows the incoming traffic on the correct port, but my ssh client doesn't give me a login prompt.

    How does sshd respond to an incoming request? Does it answer on port 22, or on the port the request comes in on? If it answers on the port that it is running on, then that port is blocked by firewall A just now, and I wouldn't hear back from the server? Is there a way around this?

    THanks,
    Jeff

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by parkejr View Post
    How does sshd respond to an incoming request? Does it answer on port 22, or on the port the request comes in on?
    SSH answers on the port it was setup to listen on. So say you setup SSH to listen on port 2200

    Requests from A would have sport:3489(random port here) dport:2200
    Returns from B would have sport:2200 Dport:3489

    If your firewall is session based and you allow port 2200 out then the return traffic should be able to pass as this is an ESTABLISHED connection.

    If it answers on the port that it is running on, then that port is blocked by firewall A just now, and I wouldn't hear back from the server? Is there a way around this?
    If A is hitting the firewall at B and being allowed to pass (you have to checked the logs), then the responses coming back should be allowed to pass the firewall at A as they should be coming back on the same port that the request went out on.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jan 2011
    Posts
    2
    thanks for explaining that. sounds like the firewall/proxy server that I'm working behind is not session based. I expect it's allowing incoming packets on port 22, but not on the random port I've chosen.

    Is there a way to get sshd to answer on port 22, i.e.:

    on A: ssh hydrogen:34567 (firewall allows any outgoing, so this gets out)

    on B: sshd running on 34567 and firewall allows incoming on 34567, so packet arrives, but sshd responds on port 22.

    on A: firewall on A allows incoming on port 22, but not 34567, so response on port 22 gets through.

    perhaps I could just let sshd do its thing, but get the firewall at B to move outgoing WAN packets on 34567 to outgoing WAN packets on 22?

    Regards,

    Jeff.

  4. #4
    Just Joined!
    Join Date
    Jan 2011
    Posts
    2
    Let me understand:

    A and B are behind the same GW?

    If yes, you can only use different Ports let's say
    ssh GWIP -p 22
    ssh GWIP -p 122

    If you want to forward now internally, you need to have a GW Router supporting portmapping

    Br,

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by parkejr View Post
    thanks for explaining that. sounds like the firewall/proxy server that I'm working behind is not session based. I expect it's allowing incoming packets on port 22, but not on the random port I've chosen.
    This could be and in that case you either change the firewall to be session based or configure servB SSHD to listen on port 22.

    Is there a way to get sshd to answer on port 22, i.e.:

    on A: ssh hydrogen:34567 (firewall allows any outgoing, so this gets out)

    on B: sshd running on 34567 and firewall allows incoming on 34567, so packet arrives, but sshd responds on port 22.
    No SSHD answer with the port it is listening on.

    on A: firewall on A allows incoming on port 22, but not 34567, so response on port 22 gets through.
    See above.

    perhaps I could just let sshd do its thing, but get the firewall at B to move outgoing WAN packets on 34567 to outgoing WAN packets on 22?
    Not going to work as SSH is looking for the answers to come back on the port it sent out the request on.

    Another thing you could do is setup ServB SSHD to listen on port 22 as normal. Then install fail2ban to block fail connections

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •