0

I have the following setup:

  1. Router with Internet access
    • Public static IP address
    • Low functional
    • Has a "Port forwarding" feature
    • Local IP address: 192.168.1.1
  2. Linux server (Ubuntu) connected to VPN service (non-controllable by me), as the gateway for the client (3)
    • Interface enp0s3: gw: 192.168.1.1; IP address: 192.168.1.10
    • Interface tun0 - VPN connection
  3. Windows 7 client
    • Network Interface: gw: 192.168.1.10; IP address: 192.168.1.8

iptables rules on server (2): 

*nat
:PREROUTING ACCEP T [443:55918]  
:INPUT ACCEPT [21:3328]
:OUTPUT ACCEPT [22:1600]
:POSTROUTING ACCEPT [73:4883]
-A POSTROUTING -s 192.168.1.8/32 -o tun0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [2135:1080592]
:FORWARD ACCEPT [846:190487]
:OUTPUT ACCEPT [1592:396526]
-A FORWARD -s 192.168.1.8/32 -i tun0 -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.8/32 -i enp0s3 -o tun0 -j ACCEPT
COMMIT

How do I forward the port for a SSH connection to the client, through the external router's address? (I can't do this through the VPN).

Improve this question

1 Answer 1

Reset to default
0

This can easily be done with a reserve-SSH connection.

Preparation on the server:

I'm assuming you have cron installed and running. Create a new file in /etc/cron.hourly with the following content: (don't forget to chmod +x the file!)

#!/bin/bash
cstate=$(netstat -na | grep "tcp" | grep "<IP-of-home-machine>:22" | tr -s " " | cut -d " " -f 6 | head -n 1)
cdate=$(date "+%Y-%m-%d %H:%M:%S")
if [[ $cstate == "ESTABLISHED" ]] || [[ $cstate == "TIME_WAIT" ]]
then
    echo "[$cdate] SSH connection up. ($cstate)" >> /var/log/check-ssh-relay.log
else
    echo "[$cdate] SSH connection broken. ($cstate) Reconnecting..." >> /var/log/check-ssh-relay.log
    ssh -N -f -R 12122:localhost:22 <username>@<IP-of-home-machine>
fi

This will check hourly if the connection is up and tries to re-connect if it isn't. Useful when your PC at home isn't always on. It writes log information to /var/log/check-ssh-relay.log. Authentification is done via SSH-keys so make sure you got that setup properly in advance.

On your computer at home:

Assuming you have openssh-server setup properly, all you need to do now is:

$ ssh <server-username>@localhost -p 12122

To create the SSH connection. SCP, SFTP and co. works too of course.

If for security reasons you want to change the default SSH port on your home machine, just replace the :22 in the server-side script above with the custom port of your choosing.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .