Linux – How to Forward a Port from One Machine to Another?

linuxport-forwarding

Consider the following situation:

At my home, I have a router (which is connected to internet), server (S) and my main machine (M). S is reachable from the internet (it has static IP), and it is up 24/7, while M is not.

Sometimes, I want to make some app (which listens on some port on M, for example 8888) accessible from outer internet.

For that, I wanted to set up some port on S (2222) to forward to M's port 8888, so that anybody accessing S:2222 would feel like he was accessing M:8888.

I tried to use ssh port forwarding, my best attempt was as follows:

ssh -L 2222:M:8888 -N M

But that only allows me to access 2222 port from server itself, not from other machines.

Is there some way to do it properly? Preferably, I'd like it to be a simple command, which I would be able to start and shut down with ^C when I don't need that forwarding anymore.

Best Answer

Yes, this is called GatewayPorts in SSH. An excerpt from ssh_config(5):

GatewayPorts
        Specifies whether remote hosts are allowed to connect to local
        forwarded ports.  By default, ssh(1) binds local port forwardings
        to the loopback address.  This prevents other remote hosts from
        connecting to forwarded ports.  GatewayPorts can be used to spec‐
        ify that ssh should bind local port forwardings to the wildcard
        address, thus allowing remote hosts to connect to forwarded
        ports.  The argument must be “yes” or “no”.  The default is “no”.

And you can use localhost instead of M in the forwarding, as you're forwarding to the same machine as you're SSH-ing to -- if I understand your question correctly.

So, the command will become this:

ssh -L 2222:localhost:8888 -N -o GatewayPorts=yes hostname-of-M

and will look like this in netstat -nltp:

tcp        0      0    0.0.0.0:2222   0.0.0.0:*  LISTEN  5113/ssh

Now anyone accessing this machine at port 2222 TCP will actually talk to localhost:8888 as seen in machine M. Note that this is not the same as plain forwarding to port 8888 of M.

I'll start with the raw facts :

You have: A - your FreeBSD box, B - your router and C - some machine with Internet access. This is how it looks like:

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
\_________ ________/
          v
           `- this is your LAN

Notice how your router normally works: it allows connections from machines on your LAN to the Internet (simply speaking). So if the A (or any other machine on LAN) wants to access the Internet, it will be allowed (again, just talking about basic understanding and configuration) :

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
      `-->----'  `--->--->---^

And the following is not allowed by default:

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
      `--<----'  `---<--- - - - - --<---<-----'

(That is, the router protects the machines on your LAN from being accessed from the Internet.) Notice that the router is the only part of your LAN that is seen from the Internet¹⁾.

Port forwarding is what allows the third schema to take place. This consists in telling the router what connection from C²⁾ should go to which machine on the LAN. This is done based on port numbers - that is why it is called port forwarding. You configure that by instructing the router that all the connections coming on a given port from the Internet should go to a certain machine on LAN. Here's an example for port 22 forwarded to machine A:
```
.------.     .-------.                        .-----.
|  A   | ==  |   B   |  - - ( Internet ) - -  |  C  |
|      |     |       |                        '-----'
'-|22|-'     ',--|22|'                          |
    `--<-22---'    `---<---- - - - - - --<-22---'
```
Such connections through the Internet occur based on IP addresses. So a bit more precise representation of the above example would be:
```
.------.      .-------.                                .-----.
|  A   |  ==  |   B   | - - - - - ( Internet ) - - - - |  C  |
|      |      |       |                                '-----'
'-|22|-'      ',--|22|'                                   |
    `--<-A:22--'    `--<-YourIP:22 - - - - --<-YourIP:22--'
```
If you do not have an Internet connection with a static IP, then you'd have to somehow learn what IP is currently assigned to your router by the ISP. Otherwise, C will not know what IP it has to connect to in order to get to your router (and further, to A). To solve this in an easy way, you can use a service called dynamic DNS. This would make your router periodically send information to a special DNS server that will keep track of your IP and provide you with a domain name. There are quite a few free dynamic DNS providers. Many routers come with configuration options to easily contact with those.

_{¹⁾ This is, again, a simplification - the actual device that is seen to the Internet is the modem - which can often be integrated with the router, but might also be a separate box.

²⁾ or any other machine with Internet connection.}

Now for what you want:

Simply allowing ssh access to your machine from the Internet is a bad idea. There are thousands of bots set up by crackers that search the Internet for machines with open SSH port. They typically "knock" on the default SSH port of as many IPs as they can and once they find an SSH daemon running somewhere, the try to gain bruteforce access to the machine. This is not only a risk of potential break-in, but also of network slow-downs while the machine is being bruteforced.
If you really need such access, you should at least
- assure that you have strong passwords for all the user accounts,
- disallow root access over SSH (you can always log in as normal user and su or sudo then),
- change the default port on which your SSH server would run,
- introduce a mechanism of disallowing numerous SSH login attempts (with icreasing time-to-wait for subsequent attempts - I don't remember how exactly this is called - I had it enabled some time ago on FreeBSD and I recall it was quite easy - try searching some FreeBSD forums etc. about securing SSH an you'll find it.)
- If possible, try to run ssh daemon only when you know you will be accessing the machine in near future an turn it off afterwards
Get used to going through your system logs. If you begin noticing anything suspicious, introduce additional security mechanisms like IP tables or port knocking.

Port Forwarding to VPN Client – How to Port Forward to VPN Client?

You need to do three things on your VPN server (the Linode) to make this work:

You must enable IP forwarding:
```
sysctl -w net.ipv4.ip_forward=1
```
Set up destination NAT (DNAT) to forward the port. You've probably already figured this out because it's standard port forwarding stuff, but for completeness:
```
iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 6000 -j DNAT --to-dest y.y.y.100:6000
```
Set up source NAT (SNAT) so that from your VPN client's perspective, the connection is coming from the VPN server:
```
iptables -t nat -A POSTROUTING -d y.y.y.100 -p tcp --dport 6000 -j SNAT --to-source y.y.y.1
```

The reason you need the SNAT is because otherwise your VPN client will send its return packets straight to the host which initiated the connection (z.z.z.z) via its default gateway (i.e. Verizon 3G), and not via the VPN. Thus the source IP address on the return packets will be your Verizon 3G address, and not x.x.x.x. This causes all sorts of problems, since z.z.z.z really initiated the connection to x.x.x.x.

In most port forwarding setups, the SNAT is not needed because the host performing the port forwarding is also the default gateway for the destination host (e.g. a home router).

Also note that if you want to forward port 6000 to a different port (say 7000), then the SNAT rule should match on 7000, not 6000.

Best Answer

Related Solutions

SSH Port Forwarding – How to Access Home Machine from Anywhere

I'll start with the raw facts :

Now for what you want:

Port Forwarding to VPN Client – How to Port Forward to VPN Client?

Related Question