Forwarding SSH

kerogaz

kerogaz

Why do I have to do ssh -J example@190.160.44.56:34000 example@10.44.4.77 to access a computer on a local network using server FreeBSD with NAT from the global network? But if I do the same thing through a router ( as TP-Link ARCHER C54, Tenda TX12L Pro WiFi etc ,through which port forwarding is done), I can do it directly: ssh -p 34000 example@190.160.44.56 !! Port forwarding is also done on the server with FreeBSD and I log into the local computer via RDP
 
Why does the router forward the SSH directly to a computer on the local network, but it has to make two hops through the freeBSD server?
 
That is, I need to create a user account on the freebsd server who wants to access his computer on the local network, using ssh This is unnecessary hassle.Is it possible to register this jump somewhere in the settings of server for all users?
 
It's the difference between forwarding packets, and proxying them. The first command proxies the connection, the connection is made to the first host and a new connection is made to the second host. The first host acts as an intermediate.

When you use port forwarding the packets have their destination address translated (destination NAT) and then sent to that destination address.
 
SirDice said:
It's the difference between forwarding packets, and proxying them. The first command proxies the connection, the connection is made to the first host and a new connection is made to the second host. The first host acts as an intermediate.

When you use port forwarding the packets have their destination address translated (destination NAT) and then sent to that destination address.
Click to expand...
I'm not interested in theoretical information, but in practical ones: is it possible to configure freebsd so that a user remotely from the global network can access a computer on the local network directly,using ssh, as if through a router, without any jumps?
 
Use port forwarding mate. Same as your router. rdr with PF for example. The first command you showed explicitly tells ssh(1) to proxy the connection.

Code: 
     -J destination
             Connect to the target host by first making an ssh connection to
             the jump host described by destination and then establishing a
             TCP forwarding to the ultimate destination from there.  Multiple
             jump hops may be specified separated by comma characters.  IPv6
             addresses can be specified by enclosing the address in square
             brackets.  This is a shortcut to specify a ProxyJump
             configuration directive.  Note that configuration directives
             supplied on the command-line generally apply to the destination
             host and not any specified jump hosts.  Use ~/.ssh/config to
             specify configuration for jump hosts.
 
I'll have to buy another router with SSH support via port forwarding for this or try it on Debian, or on Arch for example,because I don't want to create 100 users on the server for Jump ssh
 
I used rinetd
rinetd.conf
server_ip 40033 10.44.4.226 22
But don't works.RDP works ssh not
ssh - p 40033 (user of host 10.44.4.226)@ server_ip
and ...not works

The user enters the login of his host of LAN and the command requires the server login.And if there is no user account of the local network computer on the server, he will not be able to log into his local computer from WAN
 
sko said:
instead of relying on some linux-derived tool just use the native way via forwarding/redirection in PF (https://docs.freebsd.org/en/books/handbook/firewalls/#_configuring_nat) or IPFW (https://docs.freebsd.org/en/books/handbook/firewalls/#_port_redirection).
If this is an internet-facing router it should have a firewall in place anyways, so either one of those should already be configured.
Click to expand...
On forum ssh, experts said that I can only pass nat with the help of ssh -J, there is no other way..About rinetd, I use rinetd 10 year without problèmes
 
Not true. But you can only forward to a single host (or use different public ports for each forward/redirection rule). This gets tedious and ugly very fast, but for ssh it works - other protocols or anything UDP usually has problems with such port forwardings (SIP/VoIP!!!).
If you have multiple users and/or systems you want to reach inside your network, it's always much cleaner and safer to have a jumphost which is the sole system directly accessible from the outside world. This host (a plain jail without anything beyond base installed is sufficient) then relays all connections to the inside hosts. This way you also don't have to muck around with non-standard ports, because all ssh connections from the outside are going to that single jumphost anyways.
If you run that jumphost-jail ('jump-jail'?) on the gateway host, you can hook blacklistd directly into PF of the gateway - with port forwardings you'd need to run blacklistd (or something like e.g. sshguard) on each and every host you forward to.
 
kerogaz said:
ssh - p 40033 (user of host 10.44.4.226)@ server_ip
and ...not works
Click to expand...
"Not works" doesn't tell us anything. Do you get an error? Does it fail to connect? User fat-fingering the password? What HAPPENS? There can be a million and one reasons WHY it does not work, but if you don't provide the information I can't do anything. I'm not going to guess till the cows come home.

kerogaz said:
The user enters the login of his host of LAN and the command requires the server login.
Click to expand...
No, it does not, that user enters their password for that LAN host. You are utterly misunderstanding the differences between forwarding the port (using rinetd or PF/IPFW) and proxying the connection (which is what -J {....} does). You don't seem to grasp the differences here.
 
SirDice said:
"Not works" doesn't tell us anything. Do you get an error? Does it fail to connect? User fat-fingering the password? What HAPPENS? There can be a million and one reasons WHY it does not work, but if you don't provide the information I can't do anything. I'm not going to guess till the cows come home.


No, it does not, that user enters their password for that LAN host. You are utterly misunderstanding the differences between forwarding the port (using rinetd or PF/IPFW) and proxying the connection (which is what -J {....} does). You don't seem to grasp the differences here.
Click to expand...
When I enter ssh -p 40033 (user name of local comp)@195.55.66.77(Servet IP) it asks for the server user's password, not the local host user's password..On router's forwarding it works, it asks password of user of local host and I can log straight into the local host and not get stuck on the server with NAT
 
Are you running the server's sshd on port 40033 perchance? What does grep Port /etc/ssh/sshd_config show?
 
J'ai compris.Il faut utiliser ssh port in sshd_config aussi 40033 ou forwarding port 23554 in rinetd.config?
 
kerogaz said:
I changed on config port 22 to port 23554
Click to expand...
That's fine. As long as you're not running it on the same port you're trying to forward.

You also mentioned IPFW somewhere. How's that configured? Especially in regard to any port forwarding you may have done there.
 
You must log in or register to reply here.
Back
Top