ssh - Port Forwarding a Specific Port (e.g. 22)
2014-07
Jerry Blair
I'm still confused about establishing an SSH connection (port 22) between two computers on different internal networks. For example: I am on my computer with internal IP address IIP-1, connected to my router RT-1. There are 10 IIPs connected to RT-1. I want to establish an SSH connection to IIP-3 which is connected to router RT-2. There are 10 IIPs connected to RT-2. At any time, there can be multiple SSH connections between IIPs on RT-1 and RT-2. Since I only have port 22 available, I don't know which SSH session is talking between which IIPs. I looked at a couple of similar questions but am still unclear on the solution. Thanks much, Jerry
Spiff
If you have a router with a single public IP address on the WAN side, and uses a subnet of private IP addresses on the LAN side, it's more than a router, it's a NAT (technically NAPT: Network Address and Port Translation, but most people just say NAT) gateway.
When a host attempts to start a new connection, it sends the packet from an ephemeral port number (above 49152). As the NAT gateway processes this outgoing packet, it looks to see if that source port is free on the NAT gateway's WAN interface (public IP address). If it's free, it lets that client use that port number; if it's in use, it assigns a different public port number to that packet and modifies the packet to make it look like it came from that other port number. Either way, it makes a table entry mapping that public port number to that private IP address and port, so it can properly translate and forward any further packets on that connection, in either direction.
For new incoming connection attempts on its public IP address, the NAT gateway can't automatically know who to forward the connection attempt to. So the NAT gateway would drop the packet by default, and possibly respond with a TCP Reset packet or an ICMP "Destination Unreachable: Port Unreachable" message. So that's why you have to create port forwarding (a.k.a. port mapping, virtual server, etc.) rules.
But a single port, like ssh's well known port 22, can only be forwarded to a single host. So for connections initiated from the outside, only one host can be reached at port 22. So if you have more than one machine behind a NAT gateway, and you want them all to be reachable via ssh from the outside, you'll need to pick other port numbers to map to those hosts. For example, map public port 22 to port 22 on the first host, then map public port 50022 to port 22 on the second host, then map public port 50122 to port 22 on the third host, etc.
Then, when you need to connect to, say, the second host, use ssh -p 50022 username@PublicIPAddrOfNATGateway.
Actually, it's probably best if you don't map public port 22 to anything. ssh's port 22 is one of the most-attacked ports. Using some other port doesn't make you more secure, but it does make you less likely to see as many attacks.
barlop
I don't really understand your question because you know there are multiple SSH sessions.
I don't see where routers come into it. Because you'd have the same question if there was just one router.
I don't see why it matters to your question whether they are internal or external IPs..
You have multiple connections to an SSH server from different computers.
I suppose each is distinct in that one is logged on as one user, one as another user.
And each is distinct in being initiated by a different IP.
And if one computer can initiate multiple connections, then you can say each connection is distinct by being initiated by a different IP:PORT
All the private IPs (what you call IIPs) on R1, are different IPs to the IPs on R2.
BUT....
Let's suppose that isn't so.. (which is I think what you are getting at)
Let's suppose, that some computers on R1 have the same IP as some computers on R2.
Then R1 and R2 have to bqe doing NAPT. (NAPT is NAT but also one to many). So the SSH server communicates with R1's IP address and R2's IP address. Each connection is at a different port..
So each sSH session, from the SSH server's perspective, which is a good perspective to be looking from.. as it sess all the connections to it. Each ssh session can be identified by IP:PORT where IP is R1's IP or R2's IP. And whatever port.
It's Port Translation you are talking about not really port forwarding.
If you have multiple computers behind a NAPT router and they're accessing the Internet, that doesn't require port forwarding, but it does require port translation. The website just sees the NAPT Router's IP. The NAPT router distinguishes each connection, as it opens local client ports up to communicate with the websites, and any local client port it opens up is going to be associated with one of the private IPs connected to it.
You wouldn't normally want NAPT locally, that is insane. You have enough private IPs!
Tim
I am now connecting to my laptop to my modem using a cable without a router. Testing TCP and UDP in emule fails
Starting TCP connection test...
TCP test failed! UDP test will not be performed.
Connection test finished.
Results in detail:
* TCP connection test failed.
It was not possible, to establish a TCP connection to your eMule.
Some remarks:
My operating system is Windows 7. In "Windows Firewall with Advanced Security" that both TCP and UDP for emule have "All Ports" for "Local ports" and "Remote ports". I am not sure if I have other firewalls working too. How to check that?
I have turned off the firewall in my modem, which is Motorola SBG900.
my laptop is from Lenovo. Does the lenovo system software have its own firewall?
my ISP is comcast cable, not sure if emule's default TCP port 17423 and UDP port 11391 would be banned?
my antivirus software is Windows Security Essentials, where I didn't see it has any firewall.
I use the software CurrPorts to see the usage of ports on my computer. Below is a screenshot. Is it normal that the Local Address for emule is 0.0.0.0?
Thanks, harrymc!
(1) But I have turned off the firewall of the modem, does the modem still place restriction on port forwarding?
(2) when I try to specify the ports of emule in this modem, I did not find places to specify which is the protocal, TCP or UDP, for each port. Instead I find an option called "Template", which let me choose one from HTTP, FTP etc but not TCP and UCP. Where can I input TCP or UDP? And which one should I choose for "Template"?
(3) Now I am connecting a router Linksys WRT54GL to the modem via a cable and connecting my laptop to the router via wireless network. In the Linksys router for each port I have to specify the IP Address in the form of 192.168.1.x, which I guess it is the one of my laptop, which is 192.168.1.102? If I have to specify the ports of emule again in the modem, is the "LAN ip address" in the form of 192.168.0.x the same as the ip of my laptop when it is connected to the modem by cable directly without using Linksys router? I tried the above but TCP test still fails not to say UDP. If I want to specify the ip to be any number in the last field, i.e. all 192.168.1.x for router and all 192.168.0.x for modem, how to specify them?
techie007
Your router is going to also act as a firewall, so you'll have to open the ports in it as well. Check out PortForward.com for help, they may even have pre-made instructions for your particular router.
Edit:
From Portforward get the PFPortCheck utility, turn off eMule and use the port checker to test your eMule ports, it will at least help you eliminate eMule as your problem point.
Then, after testing with Portchecker instead of eMule, turn OFF the Windows firewall to eliminate it as a suspect (in case one of the rules you mentioned is misconfigured) and test again.
Unfortunatly there's no 'one way' to check if you have any other firewalls running.
8088
@Tim: Your modem is misnamed "cable modem", but it's really a router.
You must forward the eMule ports to your computer.
From its manual:
Gateway > PORT FORWARDING — status Page
Use this page to display the configured port forwarding entries on the SBG900 LAN. The fields are the same as on the Gateway > PORT FORWARDING — config Page:
EDIT
You can have only one DMZ computer.
What you should do:
- Ensure that only the modem box distributes DHCP IP addresses so all machines are on the same network segment (if I understood correctly that's the one that's connected to the internet).
- The router shouldn't set itself up as DHCP server and shouldn't try to give itself the same IP address as the modem.
- In the modem config, set the DHCP server modem to fix the IP of the designated DMZ machine to be always the same.
- In the modem config, define the designated machine as DMZ.
This is it.
ldigas
type 192.168.1.1 in your browser. see what pops up (usually will ask for a password). see what model router you have - as techie007 already suggested, go to portforward.com and try to find instructions on how to enable port forwarding for that specific model. do a test at portforward.com for that port.
try then and let us know what happens ...