Jump to content
Please Use CODE Tags

Why does SSH need to be port forwarded?

babadoctor
By babadoctor
in Programming
 Share
Go to solution Solved by LAwLz,

The difference between teamviewer and SSH is where the traffic originates from.

 

With teamviewer, your computer connects to an outside server and tells it which IP and port to send traffic on. When you try to connect to your teamviewer server, you contact the central server (hosted somewhere on the Internet) which connects the two connections to each other.

This is why it does not require port forwarding. Because the connection originates from inside your network. Your router sees that your computer wants to connect to the Internet, so it assigns that connection a dynamic port number which it automatically keeps track of. Since it is your computer starting the connection, your router will know which traffic should be forwarded to it automatically.

 

 

With SSH, there is no middleman. It's not your computer from the inside network that is establishing the connection. Your router will just see an incoming connection on port 22 and then have no idea what to do with the connection. Should this packet on port 22 be sent to computer 192.168.1.6 or should it be sent to 192.168.1.7? Your router will have no idea and just try to process the packets itself, and then probably discard them.

 

There are ways around it with SSH, but they are very complicated so I really don't see why you won't just port forward. Is there any special reason for it?

You will most likely need a VPS or a VPN in order to make it work the way you want. With a VPS you could do the same thing Teamviewer does, but you will have to write the server (middleman) and client (that runs on your SSH server) yourself. I am not aware of any programs that does this already.

 

With the VPN you would have to make sure both the SSH server and client both are on the same network (either a completely separate VPN for the two, or VPN from the client into the server's network) and then you will be able to SSH without port forwarding since you're on the same network.

 

But both solutions are costy. Cost in time, computational resources and money, so I really don't get why you just can't port forward.

Posted

Why do you need to port forward ssh on your router, but services like team viewer don't need port forwarding at all? Can I set something up like that on my computer at home so I don't need to port forward?

 

e.g

 

A computer at work which connects to a computer at my house, which enables me to ssh into that computer at work, without port forwarding the computer at work

 

Is there some command line program I can use?

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
Just now, M.Yurizaki said:

Because it's normally blocked for security reasons.

You didn't answer my other question

 

Can I set up a ssh server w/o port forwarding?


Also it seems safer because now I won't get targeted by ssh port scanning bots (yes i changed the port to some obscure number but it still gets scanned)

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 minutes ago, babadoctor said:

A computer at work which connects to a computer at my house, which enables me to ssh into that computer at work, without port forwarding the computer at work

 

Is there some command line program I can use?

just use teamviewer.

 

or why can't you port forward.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, babadoctor said:

You didn't answer my other question

I added to my post.

 

But if you're wondering why other programs don't need port forwarding, it's because outside the range of ports used for common services, they can be used for whatever else.

 

Also those programs may connect via a port that's trusted anyway.

I have a blogAnd a list of guides I've posted

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
Just now, Electronics Wizardy said:

becuase teamviewer and other services need a server in the middle, with ssh you don't. If you setup a server in the middle you wouldn't have to port fortward it.

This is my question; How do I do this?

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, babadoctor said:

This is my question; How do I do this?

you need a server in the middle, so get a vpc.

 

Then you need to start writing code. There is no easy way here.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
Just now, Electronics Wizardy said:

you need a server in the middle, so get a vpc.

 

Then you need to start writing code. There is no easy way here.

there must surely be some open source program for this

 

it seems highly unlikely that someone hasn't already created this

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, M.Yurizaki said:

You have to configure your modem to allow the any connections trying to ping that port to go to the network address of the computer you're trying to connect to.

elaborate

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, babadoctor said:

there must surely be some open source program for this

 

it seems highly unlikely that someone hasn't already created this

why can't you portforward?

 

You could put that system that you want to access on a vpn.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, Electronics Wizardy said:

why can't you portforward?

 

You could put that system that you want to access on a vpn.

Could you also elaborate here

 

Putting my computer on a VPN would still require me to port forward. right. 

 

What I am trying to accomplish is to set up the server in the middle on my own computer, then use that server-in-the-middle computer to access the computer on the other end, so it doesn't need port forwarding

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, babadoctor said:

Could you also elaborate here

 

Putting my computer on a VPN would still require me to port forward. right. 

nope, all your traffic goes to the vpn, and then you use the pulic ip of the vpn.

 

But the lazy way is teamviewer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, babadoctor said:

elaborate

Actually it may not be the modem, it may be the router connected to the modem itself. I blame my confusion on needing to use ATT's poor excuse of a network box.

 

Anyway, the exact method of doing it will vary, but you need to do the following:

  • Figure out what your computer's default gateway is. If you're on Windows, go to the command prompt and type in ipconfig /all. If you're on Linux, open the terminal and type in ip route | grep default
  • Log onto your router typing the default gateway address in your internet browser's address bar.
  • Go find the port forwarding option in your router's firmware and set it up so it forwards the port you need (SSH is usually 22) and the network IP address of the computer you want to connect it to.

I have a blogAnd a list of guides I've posted

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
4 minutes ago, M.Yurizaki said:

Actually it may not be the modem, it may be the router connected to the modem itself. I blame my confusion on needing to use ATT's poor excuse of a network box.

 

Anyway, the exact method of doing it will vary, but you need to do the following:

  • Figure out what your computer's default gateway is. If you're on Windows, go to the command prompt and type in ipconfig /all. If you're on Linux, open the terminal and type in ip route | grep default
  • Log onto your router using the default gateway address.
  • Go find the port forwarding option in your router's firmware and set it up so it forwards the port you need (SSH is usually 22) and the network IP address of the computer you want to connect it to.

I know how to port forward a computer

 

Also that command only works in bash, in windows its something like arp -a

or nmap 192.168.1.1/24

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 minutes ago, babadoctor said:

I know how to port forward a computer

Then why did you ask?  Port forward 22 on the computer in question.

 

... and now that I think about it, you have to port forward because well... how else do you tell the router where to send the traffic to? But otherwise, routers block a lot of ports used by common services by default for security reasons.

 

So if you want to use your setup, port forward 22 to your server, then from the server you can SSH into any other machine on the LAN.

I have a blogAnd a list of guides I've posted

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
Just now, M.Yurizaki said:

Then why did you ask?  Port forward 22 on the computer in question.

 

... and now that I think about it, you have to port forward because well... how else do you tell the router where to send the traffic to? But otherwise, routers block a lot of ports used by common services by default for security reasons.

I was hoping that maybe I could do the same thing teamviewer does with its services but with SSH

 

and you guys wont help me

 

oh well

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, babadoctor said:

I was hoping that maybe I could do the same thing teamviewer does with its services but with SSH

 

and you guys wont help me

 

oh well

So you want to SSH into your LAN machine from the internet without having to port forward? Then you have to connect the machine to a VPN on the internet and connect your remote computer to that VPN, then SSH using the machine's VPN IP.

 

At least that's how I think it works.

I have a blogAnd a list of guides I've posted

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 2017-04-14 at 10:12 AM, M.Yurizaki said:

I added to my post.

 

But if you're wondering why other programs don't need port forwarding, it's because outside the range of ports used for common services, they can be used for whatever else.

 

Also those programs may connect via a port that's trusted anyway.

No its not, its because of network address translation.

 

You only have one external IP address on your router but can have many computers attached to that router. So if someone tries to ssh to your.ip.here:22 the router needs to know what computer it should give that traffic to.

 

The only way to avoid this is to buy another IP address specifically for that individual computer from your ISP.

 

Teamviewer does this by having a moderator in the middle. Every computer with teamviewer knows the address of a separate teamviewer service that handles connecting them. If you wish to replicate this you still have the port forwarding issue with a standard residential connections but now you are forwarding your application specific routing traffic to this new server so it doesn't solve the problem it just moves it to a different step.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 2017-04-14 at 10:19 AM, babadoctor said:

Could you also elaborate here

 

Putting my computer on a VPN would still require me to port forward. right. 

 

What I am trying to accomplish is to set up the server in the middle on my own computer, then use that server-in-the-middle computer to access the computer on the other end, so it doesn't need port forwarding

Sorry for the double post:

 

This can't work and you are wasting your time sorry.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
On 4/17/2017 at 5:58 AM, SpaceNugget said:

Sorry for the double post:

 

This can't work and you are wasting your time sorry.

You are obviously wrong, if something like teamviewer can exist.

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, babadoctor said:

You are obviously wrong, if something like teamviewer can exist.

I am not obviously wrong for the reasons I mentioned, I was referring specifically to your exact request:

 

...set up the server in the middle on my own computer...

 

Do you have the teamviewer server running on your own machine? No, You don't. This can't work and you are wasting your time.

 

You NEED a static public IP directly bound to one of the computers or a port forwarding rule to use SSH, creating a VM or other computer in your same network has the EXACT same problem as your normal computer, it doesn't solve anything.

 

The internet is not set up to have two NAT'ed computers discover each other without port forwarding rules. The only type of application that is able to do that is VoIP because routers generally have SIP gateways pre-installed for VoIP.

 

Why don't you just set up port forwarding?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
4 hours ago, SpaceNugget said:

I am not obviously wrong for the reasons I mentioned, I was referring specifically to your exact request:

 

...set up the server in the middle on my own computer...

 

Do you have the teamviewer server running on your own machine? No, You don't. This can't work and you are wasting your time.

 

You NEED a static public IP directly bound to one of the computers or a port forwarding rule to use SSH, creating a VM or other computer in your same network has the EXACT same problem as your normal computer, it doesn't solve anything.

 

The internet is not set up to have two NAT'ed computers discover each other without port forwarding rules. The only type of application that is able to do that is VoIP because routers generally have SIP gateways pre-installed for VoIP.

 

Why don't you just set up port forwarding?

Lets say that I have a second, static public IP with port forwarding enabled... and I want this to be the median in which the two computers connect through.

I have a VM on this second public IP as you would call it.

 

I connect the two computers to the public static IP through port 80, as that port is always open.

 

Could I do this then?

 

OFF TOPIC: I suggest every poll from now on to have "**CK EA" option instead of "Other"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
44 minutes ago, babadoctor said:

Lets say that I have a second, static public IP with port forwarding enabled... and I want this to be the median in which the two computers connect through.

I have a VM on this second public IP as you would call it.

 

I connect the two computers to the public static IP through port 80, as that port is always open.

 

Could I do this then?

 

Its one or the other, if you have a static IP, set up your computer with that IP and ALL traffic on ALL ports goes directly to that computer, no port forwarding required.

 

Otherwise, you can set up port forwarding.

 

If you use a VPS like digital ocean with a static IP that you can SSH to, SSH to it from your work computer with the -R flag to create a reverse tunnel to the work computer, then when you ssh to your middle man from home, you are tunneling through to the computer at your work.

 

But this middle man either needs to have its own IP address or port forwarding rules set up to allow you to connect to it.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×