8

This is an extension to ssh port forward to access my home machine from anywhere

I tried things mentioned there but I am not able to ssh to my machine.

Netgear router settings for port forwarding:

Start Port: 22
End Port: 22
Server IP Address: IP address of by FreeBSD box

/etc/ssh/sshd_conf of my FreeBSD box:

PasswordAuthentication yes
AllowUsers root
X11Forwarding yes
AllowTcpForwarding yes

How I am trying to connect:

I've signed up for dyndns.com and got a URL that maps to my external IP address.

From another machine in my home network, I do: ssh -l root my_dyndns_ip Which is just timing out.

On the other hand, I can ping my_dyndns_url successfully.

Debugging:

How can I fix this so that I can ssh from anywhere to my_dnydns_url ?

I tried to look into logs of my Netgear router but on failed ssh attempt, no log in generated on the router.

I also looked into /var/log/messages but could not finding anything.

Edit:0 Running ssh in verbose mode (as per @jasonwryan suggested):

I am noticing a weird thing: When I do ssh to the dyndns.com provided url, its trying to connect to other IP address than what I get from whatismyip.com. Isn't that wrong?

Edit:1 Problem with dyndns is now solved.

Now when I try to ssh, it times out and I get error: Connection timed out

Edit:2 Does iptables or NAT has anything to do with it?

Edit:3 I started ssh with -d option to capture debug messages.

When I ssh to the freebsd box from any other machine in wlan, It works fine and I can see logs.

But when I ssh to external ip (which should forward that to my freebsd box), I do not even see any logs - that means, request is not even reaching freebsd box. And it times out.

Community
  • 1
hari
  • 2,400
  • 4
  • 21
  • 22
  • 2
    Run SSH in verbose mode to generate some meaningful error messages: `ssh -vvv ...` – jasonwryan Sep 04 '11 at 04:45
  • Routers can be buggy. When they are buggy they are a nightmare. What is the brand of your router and are you using the original firmware? If possible I suggest trying with a router which has (for example) Tomato installed. Tomato is not perfect, but is a long way better than the proprietary router firmwares. Note: I'm not suggesting this is the source of your problem, but I've found buggy routers can greatly complicate things. – Faheem Mitha Sep 04 '11 at 08:21
  • I think your use of the term URL above is incorrect. You mean a Fully Qualified Domain Name (FQDN) I assume. What does `host my_dyndns_ip` show? – Faheem Mitha Sep 04 '11 at 08:24
  • Thanks @Faheem Mitha. I've netgear WPN824v3. How can I make sure if its buggy? And what is Tomato? :) – hari Sep 04 '11 at 08:24
  • @hari: If your router appears to be behaving in a way that you would not expect, then consider that it may be buggy. Are you using the original firmware?[Tomato](http://www.polarcloud.com/tomato) - first google hit for Tomato. – Faheem Mitha Sep 04 '11 at 08:28
  • I am using original firmware. – hari Sep 04 '11 at 08:31
  • @hari:What does `host my_dyndns_ip` show? Note that you need to prefix your comment with @user if you want "user" to see it. – Faheem Mitha Sep 04 '11 at 11:11
  • @Faheem Mitha: Thanks. dyndns part is not the problem currently. (even if it is, I can look at it later). Main issue is I cannot ssh even by using my external IP (from whatismyip.com). It times out. – hari Sep 05 '11 at 03:31
  • @hari: You mean you cannot connect to your computer through the router from outside? That would suggest a problem with port forwarding. In that case, try third party firmware as I suggested above. Can you connect to your router on your external IP? – Faheem Mitha Sep 05 '11 at 03:49
  • @Faheem Mitha: Thanks for your help. BTW, what do you mean by "Can you connect to your router on your external IP?" – hari Sep 05 '11 at 04:03
  • @hari: When you connect to your external ip, you are actually connecting to your router. a ssh connection to the router will forward to your machine if port forwarding is enabled. However, it is possible to connect to the router directly, for example to the management interface (if configured to be accessible externally). Can you do that? – Faheem Mitha Sep 05 '11 at 04:36
  • Can you run tcpdump on the client and server and make sure you're seeing the right packets leave the client and seeing the same right packets appear at the server? That will help you narrow this down. – Steve Dispensa Sep 05 '11 at 04:50
  • @Faheem Mitha: How can I test that? I have netgear router. – hari Sep 05 '11 at 05:25
  • @hari: Access the routers web interface from your computer, and see if there is an option (there usually is) to access the web interface remotely. If there is, turn it on, and then try connecting to the router via http(s) from a remote machine. If this works, then the problem is most likely with port forwarding. – Faheem Mitha Sep 05 '11 at 08:28
  • @Faheem Mitha: Thanks for continuous help. I enabled that management port for my netgear router but I cannot connect to it via the specified external_ip:port. What can be wrong here? Something wrong with the router? – hari Sep 05 '11 at 20:11
  • @hari: Make sure you are using the right numbers. Are you using the external ip number to connect? That would be preferable. And http will be port 80, https 443. – Faheem Mitha Sep 05 '11 at 21:56
  • @Faheem Mitha: I am just trying to open http://:8080 - to access the management interface. Which is not loading up. – hari Sep 06 '11 at 04:55
  • @hari: from an external computer (not on the local subnet), it will just be http:// or https://. Probably the latter. Just to be clear, this is to connect to the router's management inferface. – Faheem Mitha Sep 06 '11 at 08:10
  • @Faheem Mitha: I cannot access it from outside or inside of the network. – hari Sep 06 '11 at 17:47
  • @hari: That's strange. Usually one needs to be connected to the the router, otherwise you don't have networking. The typical setup is to have a dhcp server on the router, and your machine gets an ip from the router as a client. Static addresses are also possible. In summary, I wonder how you could have networking without being connected to the router, and if you are connected to the router, the management interface should come up. Can you post the output of ifconfig? If you can't figure this out, I suggest posting a separate question. – Faheem Mitha Sep 06 '11 at 19:40
  • Are you using NAT loopback by any chance? This sounds like a typical issue when using it. – Chris Down Sep 15 '11 at 13:06
  • @Chris Down: How do I check if I am using it or not? I came across this terms NAT loopback while searching solutions to this problem. – hari Sep 16 '11 at 16:40
  • Look at the way that your router handles packets designated for a public port binding that maps to a local machine. – Chris Down Sep 17 '11 at 11:36

4 Answers4

6

I am thinking you problem is not in the port forwarding, but another option in the NAT config in the router.

First, ensure if you use your LAN IP, you can successfully SSH from another machine on the network. This ensures SSH works at all.

Second, test from another machine outside the network using the public IP. This ensures that port forwarding works.

Third, test from that same machine outside the network and use the DynDNS URL. This ensures that DynDNS is working properly.

If all of those succeed, then nothing is wrong with your configuration (which I'll assume is correct) and you problem is only accessng the public IP (either directly or through DynDNS) from inside the network. This means that your router needs to have NAT reflection enabled (if possible) to route internal requests as if they were external requests for the public IP.

MaQleod
  • 2,594
  • 4
  • 21
  • 18
  • Can you setup something to listen for port 22 on another machine and change the port forward rule to point towards the second machine? You need to rule out whether it is something in the router or something on the machine that is blocking it. – MaQleod Sep 05 '11 at 19:18
1

Is your sshd server listening on port 22, try adding:

Port 22

to your config.

If that doesn't work try forwarding a port above 1024 (Some ISP's don't allow non business subscriber traffic on ports below 1024). Also make sure if you do this you change the line in the conf I just told you about to reflect the same value.

Mike
  • 385
  • 1
  • 7
  • Thanks @Mike. I just encountered an interesting issue that I logged as **Edit:0** – hari Sep 04 '11 at 05:24
  • I changed the port to > 1024. I tried sshing to the IP address I get from whatismyip.com (my external ip) but my connection is timing out. Getting error: "Connection timed out" – hari Sep 04 '11 at 05:30
0

try to change ssh port to 443 - if you will be able to connect to this port, so there is a proxy between client and your home PC

log all dropped and forwarded packets in your firewall it can allow you to find incorrect forwarding rules

try to scan you external IP with nmap (or another tool) (ports <1024) - firewall logging should show dropped connections and on client side you should see opened ports

make traceroute to you home PC from client - is there any unexpected hosts between, are these hosts forward ports correctly?

vasily-vm
  • 720
  • 7
  • 16
0

Try with tcptraceroute to debug if you can go to the remote port first. If some machine is blocking the port you can see in the output. Try to use netstat -atun the see the open ports/connections on both machines.

user10819
  • 1