Re: newbie question on port forwarding(and ssh, netcat)
Hi Joe!
Thank you for detailed reply!
Actually I found a switch which solved my problem and now all my experiments works perfectly. The command is:
echo "1">/proc/sys/net/ipv4/ip_forward
but...What is it?! Is there any other way to check and configure my laptop's status without writing directly to this file?
...well I know, linux is all about file...
Joe於 2012年10月11日星期四UTC+9上午3時50分02秒寫道:
> On Wed, 10 Oct 2012 08:35:13 -0700 (PDT)
>
> houkensjtu <houkensjtu@gmail.com> wrote:
>
>
>
> > Hi debianer!
>
> > I am a newbie both of debian and networking...
>
> > Recently I am trying to connect my home laptop(I have a router in my
>
> > home) from office. I read several articles on port forwarding. And I
>
> > succeeded in opening an 22 port on my router, also I started ssh
>
> > server on my home laptop.
>
> >
>
> > (suppose my username at home is USER, and my laptop is called DEBIAN)
>
> >
>
> > I did several experiment and I got confusing in some of its result.
>
> >
>
> > 1. ssh USER@DEBIAN
>
> >
>
> > works well!!
>
> >
>
> > 2. nc -vz my_home_external_ip 22
>
> > [my_home_external_ip] 22 (ssh) : Connection refused
>
> >
>
> > I cant understand why is it. Because I have actually succeeded in
>
> > test 1!
>
> >
>
> > 3. ssh -l USER my_home_external_ip
>
> > ssh: connect to host my_home_external_ip port 22: Connection refused
>
> > This also doesnt work! I thought it should be equivalent to test 1,
>
> > but things just dont work.
>
> >
>
> > Any one can explain this?
>
> >
>
> >
>
>
>
> Not yet. Many commercial networks operate firewalls affecting the
>
> connections leaving the network so as yet you don't know which end of
>
> the connection has an issue.
>
>
>
> Divide the problem into two parts: the simplest way to check port
>
> forwarding is to use an external website from home, that way you can
>
> change things without travelling from your office, and you know the
>
> other end will have no firewall problems.
>
>
>
> A simple and slightly alarming but fairly reliable site is
>
> http://grc.com. Click on Shields Up!!, scroll down over halfway and
>
> click the heading Shields Up!, then Proceed, and Continue, then Common
>
> Ports (you can enter 22 manually, but the Common Ports is a quick test
>
> and just one click is needed).
>
>
>
> You're looking for 22 shown as Open, and probably all others as
>
> Stealth. Ignore all the dire warnings, this is a site for Windows users
>
> and they need to be scared.
>
>
>
> If 22 is not shown as Open, then you either haven't got the forwarding
>
> right, or sshd isn't running as you expect. If the router looks right,
>
> from your laptop try ssh <IP address of laptop>. This isn't the same as
>
> ssh localhost, as the ssh server treats different interfaces separately.
>
>
>
> If all is well at this end, but there is still a problem from your
>
> office, then you need to ask about outgoing firewalling there.
>
>
>
> However you resolve the initial problem, the ssh server is very heavily
>
> targeted by the bad guys, using password checking bots. A quick and
>
> dirty security measure is to forward a non-standard high numbered
>
> external TCP port to <laptop>:22 (nearly all routers should be able to
>
> do that) or to forward it to the same port of the laptop, and
>
> reconfigure the ssh server to listen on that port (the Port xxx line(s)
>
> in /etc/sshd_config). Remember to restart the ssh server if you need to
>
> do this.
>
>
>
> Six people will now leap in and say that's not going to improve
>
> security, all the bad guys have to do is run a portscan to find your
>
> server. However, scanning 65,000 ports of the same IP address across
>
> the Internet is no small undertaking, and will certainly attract
>
> attention, and I've never yet seen a bot attempt it. I don't get *any*
>
> connection attempts to my ssh port, while 22 gets 10-100 a day.
>
>
>
> The long-term solution is to disable passwords and use public-private
>
> key pairs for authentication, which is not really difficult, but is
>
> not for a complete beginner, and can certainly not be tried until you
>
> have the system working reliably on passwords. A quick Google for ssh
>
> public key tutorial turns up a vast number of sites to help with this.
>
>
>
> If you need to work from Windows, by the way, the puTTY program is
>
> pretty much the industry standard. There is also a Portable Apps
>
> version of it, which does not write anything to the Windows machine.
>
>
>
> --
>
> Joe
>
>
>
>
>
> --
>
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
> Archive: [🔎] 20121010194427.02ca496d@jretrading.com">http://lists.debian.org/[🔎] 20121010194427.02ca496d@jretrading.com
Joe於 2012年10月11日星期四UTC+9上午3時50分02秒寫道:
> On Wed, 10 Oct 2012 08:35:13 -0700 (PDT)
>
> houkensjtu <houkensjtu@gmail.com> wrote:
>
>
>
> > Hi debianer!
>
> > I am a newbie both of debian and networking...
>
> > Recently I am trying to connect my home laptop(I have a router in my
>
> > home) from office. I read several articles on port forwarding. And I
>
> > succeeded in opening an 22 port on my router, also I started ssh
>
> > server on my home laptop.
>
> >
>
> > (suppose my username at home is USER, and my laptop is called DEBIAN)
>
> >
>
> > I did several experiment and I got confusing in some of its result.
>
> >
>
> > 1. ssh USER@DEBIAN
>
> >
>
> > works well!!
>
> >
>
> > 2. nc -vz my_home_external_ip 22
>
> > [my_home_external_ip] 22 (ssh) : Connection refused
>
> >
>
> > I cant understand why is it. Because I have actually succeeded in
>
> > test 1!
>
> >
>
> > 3. ssh -l USER my_home_external_ip
>
> > ssh: connect to host my_home_external_ip port 22: Connection refused
>
> > This also doesnt work! I thought it should be equivalent to test 1,
>
> > but things just dont work.
>
> >
>
> > Any one can explain this?
>
> >
>
> >
>
>
>
> Not yet. Many commercial networks operate firewalls affecting the
>
> connections leaving the network so as yet you don't know which end of
>
> the connection has an issue.
>
>
>
> Divide the problem into two parts: the simplest way to check port
>
> forwarding is to use an external website from home, that way you can
>
> change things without travelling from your office, and you know the
>
> other end will have no firewall problems.
>
>
>
> A simple and slightly alarming but fairly reliable site is
>
> http://grc.com. Click on Shields Up!!, scroll down over halfway and
>
> click the heading Shields Up!, then Proceed, and Continue, then Common
>
> Ports (you can enter 22 manually, but the Common Ports is a quick test
>
> and just one click is needed).
>
>
>
> You're looking for 22 shown as Open, and probably all others as
>
> Stealth. Ignore all the dire warnings, this is a site for Windows users
>
> and they need to be scared.
>
>
>
> If 22 is not shown as Open, then you either haven't got the forwarding
>
> right, or sshd isn't running as you expect. If the router looks right,
>
> from your laptop try ssh <IP address of laptop>. This isn't the same as
>
> ssh localhost, as the ssh server treats different interfaces separately.
>
>
>
> If all is well at this end, but there is still a problem from your
>
> office, then you need to ask about outgoing firewalling there.
>
>
>
> However you resolve the initial problem, the ssh server is very heavily
>
> targeted by the bad guys, using password checking bots. A quick and
>
> dirty security measure is to forward a non-standard high numbered
>
> external TCP port to <laptop>:22 (nearly all routers should be able to
>
> do that) or to forward it to the same port of the laptop, and
>
> reconfigure the ssh server to listen on that port (the Port xxx line(s)
>
> in /etc/sshd_config). Remember to restart the ssh server if you need to
>
> do this.
>
>
>
> Six people will now leap in and say that's not going to improve
>
> security, all the bad guys have to do is run a portscan to find your
>
> server. However, scanning 65,000 ports of the same IP address across
>
> the Internet is no small undertaking, and will certainly attract
>
> attention, and I've never yet seen a bot attempt it. I don't get *any*
>
> connection attempts to my ssh port, while 22 gets 10-100 a day.
>
>
>
> The long-term solution is to disable passwords and use public-private
>
> key pairs for authentication, which is not really difficult, but is
>
> not for a complete beginner, and can certainly not be tried until you
>
> have the system working reliably on passwords. A quick Google for ssh
>
> public key tutorial turns up a vast number of sites to help with this.
>
>
>
> If you need to work from Windows, by the way, the puTTY program is
>
> pretty much the industry standard. There is also a Portable Apps
>
> version of it, which does not write anything to the Windows machine.
>
>
>
> --
>
> Joe
>
>
>
>
>
> --
>
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
> Archive: [🔎] 20121010194427.02ca496d@jretrading.com">http://lists.debian.org/[🔎] 20121010194427.02ca496d@jretrading.com
Joe於 2012年10月11日星期四UTC+9上午3時50分02秒寫道:
> On Wed, 10 Oct 2012 08:35:13 -0700 (PDT)
>
> houkensjtu <houkensjtu@gmail.com> wrote:
>
>
>
> > Hi debianer!
>
> > I am a newbie both of debian and networking...
>
> > Recently I am trying to connect my home laptop(I have a router in my
>
> > home) from office. I read several articles on port forwarding. And I
>
> > succeeded in opening an 22 port on my router, also I started ssh
>
> > server on my home laptop.
>
> >
>
> > (suppose my username at home is USER, and my laptop is called DEBIAN)
>
> >
>
> > I did several experiment and I got confusing in some of its result.
>
> >
>
> > 1. ssh USER@DEBIAN
>
> >
>
> > works well!!
>
> >
>
> > 2. nc -vz my_home_external_ip 22
>
> > [my_home_external_ip] 22 (ssh) : Connection refused
>
> >
>
> > I cant understand why is it. Because I have actually succeeded in
>
> > test 1!
>
> >
>
> > 3. ssh -l USER my_home_external_ip
>
> > ssh: connect to host my_home_external_ip port 22: Connection refused
>
> > This also doesnt work! I thought it should be equivalent to test 1,
>
> > but things just dont work.
>
> >
>
> > Any one can explain this?
>
> >
>
> >
>
>
>
> Not yet. Many commercial networks operate firewalls affecting the
>
> connections leaving the network so as yet you don't know which end of
>
> the connection has an issue.
>
>
>
> Divide the problem into two parts: the simplest way to check port
>
> forwarding is to use an external website from home, that way you can
>
> change things without travelling from your office, and you know the
>
> other end will have no firewall problems.
>
>
>
> A simple and slightly alarming but fairly reliable site is
>
> http://grc.com. Click on Shields Up!!, scroll down over halfway and
>
> click the heading Shields Up!, then Proceed, and Continue, then Common
>
> Ports (you can enter 22 manually, but the Common Ports is a quick test
>
> and just one click is needed).
>
>
>
> You're looking for 22 shown as Open, and probably all others as
>
> Stealth. Ignore all the dire warnings, this is a site for Windows users
>
> and they need to be scared.
>
>
>
> If 22 is not shown as Open, then you either haven't got the forwarding
>
> right, or sshd isn't running as you expect. If the router looks right,
>
> from your laptop try ssh <IP address of laptop>. This isn't the same as
>
> ssh localhost, as the ssh server treats different interfaces separately.
>
>
>
> If all is well at this end, but there is still a problem from your
>
> office, then you need to ask about outgoing firewalling there.
>
>
>
> However you resolve the initial problem, the ssh server is very heavily
>
> targeted by the bad guys, using password checking bots. A quick and
>
> dirty security measure is to forward a non-standard high numbered
>
> external TCP port to <laptop>:22 (nearly all routers should be able to
>
> do that) or to forward it to the same port of the laptop, and
>
> reconfigure the ssh server to listen on that port (the Port xxx line(s)
>
> in /etc/sshd_config). Remember to restart the ssh server if you need to
>
> do this.
>
>
>
> Six people will now leap in and say that's not going to improve
>
> security, all the bad guys have to do is run a portscan to find your
>
> server. However, scanning 65,000 ports of the same IP address across
>
> the Internet is no small undertaking, and will certainly attract
>
> attention, and I've never yet seen a bot attempt it. I don't get *any*
>
> connection attempts to my ssh port, while 22 gets 10-100 a day.
>
>
>
> The long-term solution is to disable passwords and use public-private
>
> key pairs for authentication, which is not really difficult, but is
>
> not for a complete beginner, and can certainly not be tried until you
>
> have the system working reliably on passwords. A quick Google for ssh
>
> public key tutorial turns up a vast number of sites to help with this.
>
>
>
> If you need to work from Windows, by the way, the puTTY program is
>
> pretty much the industry standard. There is also a Portable Apps
>
> version of it, which does not write anything to the Windows machine.
>
>
>
> --
>
> Joe
>
>
>
>
>
> --
>
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
> Archive: [🔎] 20121010194427.02ca496d@jretrading.com">http://lists.debian.org/[🔎] 20121010194427.02ca496d@jretrading.com
Joe於 2012年10月11日星期四UTC+9上午3時50分02秒寫道:
> On Wed, 10 Oct 2012 08:35:13 -0700 (PDT)
>
> houkensjtu <houkensjtu@gmail.com> wrote:
>
>
>
> > Hi debianer!
>
> > I am a newbie both of debian and networking...
>
> > Recently I am trying to connect my home laptop(I have a router in my
>
> > home) from office. I read several articles on port forwarding. And I
>
> > succeeded in opening an 22 port on my router, also I started ssh
>
> > server on my home laptop.
>
> >
>
> > (suppose my username at home is USER, and my laptop is called DEBIAN)
>
> >
>
> > I did several experiment and I got confusing in some of its result.
>
> >
>
> > 1. ssh USER@DEBIAN
>
> >
>
> > works well!!
>
> >
>
> > 2. nc -vz my_home_external_ip 22
>
> > [my_home_external_ip] 22 (ssh) : Connection refused
>
> >
>
> > I cant understand why is it. Because I have actually succeeded in
>
> > test 1!
>
> >
>
> > 3. ssh -l USER my_home_external_ip
>
> > ssh: connect to host my_home_external_ip port 22: Connection refused
>
> > This also doesnt work! I thought it should be equivalent to test 1,
>
> > but things just dont work.
>
> >
>
> > Any one can explain this?
>
> >
>
> >
>
>
>
> Not yet. Many commercial networks operate firewalls affecting the
>
> connections leaving the network so as yet you don't know which end of
>
> the connection has an issue.
>
>
>
> Divide the problem into two parts: the simplest way to check port
>
> forwarding is to use an external website from home, that way you can
>
> change things without travelling from your office, and you know the
>
> other end will have no firewall problems.
>
>
>
> A simple and slightly alarming but fairly reliable site is
>
> http://grc.com. Click on Shields Up!!, scroll down over halfway and
>
> click the heading Shields Up!, then Proceed, and Continue, then Common
>
> Ports (you can enter 22 manually, but the Common Ports is a quick test
>
> and just one click is needed).
>
>
>
> You're looking for 22 shown as Open, and probably all others as
>
> Stealth. Ignore all the dire warnings, this is a site for Windows users
>
> and they need to be scared.
>
>
>
> If 22 is not shown as Open, then you either haven't got the forwarding
>
> right, or sshd isn't running as you expect. If the router looks right,
>
> from your laptop try ssh <IP address of laptop>. This isn't the same as
>
> ssh localhost, as the ssh server treats different interfaces separately.
>
>
>
> If all is well at this end, but there is still a problem from your
>
> office, then you need to ask about outgoing firewalling there.
>
>
>
> However you resolve the initial problem, the ssh server is very heavily
>
> targeted by the bad guys, using password checking bots. A quick and
>
> dirty security measure is to forward a non-standard high numbered
>
> external TCP port to <laptop>:22 (nearly all routers should be able to
>
> do that) or to forward it to the same port of the laptop, and
>
> reconfigure the ssh server to listen on that port (the Port xxx line(s)
>
> in /etc/sshd_config). Remember to restart the ssh server if you need to
>
> do this.
>
>
>
> Six people will now leap in and say that's not going to improve
>
> security, all the bad guys have to do is run a portscan to find your
>
> server. However, scanning 65,000 ports of the same IP address across
>
> the Internet is no small undertaking, and will certainly attract
>
> attention, and I've never yet seen a bot attempt it. I don't get *any*
>
> connection attempts to my ssh port, while 22 gets 10-100 a day.
>
>
>
> The long-term solution is to disable passwords and use public-private
>
> key pairs for authentication, which is not really difficult, but is
>
> not for a complete beginner, and can certainly not be tried until you
>
> have the system working reliably on passwords. A quick Google for ssh
>
> public key tutorial turns up a vast number of sites to help with this.
>
>
>
> If you need to work from Windows, by the way, the puTTY program is
>
> pretty much the industry standard. There is also a Portable Apps
>
> version of it, which does not write anything to the Windows machine.
>
>
>
> --
>
> Joe
>
>
>
>
>
> --
>
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
> Archive: [🔎] 20121010194427.02ca496d@jretrading.com">http://lists.debian.org/[🔎] 20121010194427.02ca496d@jretrading.com
Joe於 2012年10月11日星期四UTC+9上午3時50分02秒寫道:
> On Wed, 10 Oct 2012 08:35:13 -0700 (PDT)
>
> houkensjtu <houkensjtu@gmail.com> wrote:
>
>
>
> > Hi debianer!
>
> > I am a newbie both of debian and networking...
>
> > Recently I am trying to connect my home laptop(I have a router in my
>
> > home) from office. I read several articles on port forwarding. And I
>
> > succeeded in opening an 22 port on my router, also I started ssh
>
> > server on my home laptop.
>
> >
>
> > (suppose my username at home is USER, and my laptop is called DEBIAN)
>
> >
>
> > I did several experiment and I got confusing in some of its result.
>
> >
>
> > 1. ssh USER@DEBIAN
>
> >
>
> > works well!!
>
> >
>
> > 2. nc -vz my_home_external_ip 22
>
> > [my_home_external_ip] 22 (ssh) : Connection refused
>
> >
>
> > I cant understand why is it. Because I have actually succeeded in
>
> > test 1!
>
> >
>
> > 3. ssh -l USER my_home_external_ip
>
> > ssh: connect to host my_home_external_ip port 22: Connection refused
>
> > This also doesnt work! I thought it should be equivalent to test 1,
>
> > but things just dont work.
>
> >
>
> > Any one can explain this?
>
> >
>
> >
>
>
>
> Not yet. Many commercial networks operate firewalls affecting the
>
> connections leaving the network so as yet you don't know which end of
>
> the connection has an issue.
>
>
>
> Divide the problem into two parts: the simplest way to check port
>
> forwarding is to use an external website from home, that way you can
>
> change things without travelling from your office, and you know the
>
> other end will have no firewall problems.
>
>
>
> A simple and slightly alarming but fairly reliable site is
>
> http://grc.com. Click on Shields Up!!, scroll down over halfway and
>
> click the heading Shields Up!, then Proceed, and Continue, then Common
>
> Ports (you can enter 22 manually, but the Common Ports is a quick test
>
> and just one click is needed).
>
>
>
> You're looking for 22 shown as Open, and probably all others as
>
> Stealth. Ignore all the dire warnings, this is a site for Windows users
>
> and they need to be scared.
>
>
>
> If 22 is not shown as Open, then you either haven't got the forwarding
>
> right, or sshd isn't running as you expect. If the router looks right,
>
> from your laptop try ssh <IP address of laptop>. This isn't the same as
>
> ssh localhost, as the ssh server treats different interfaces separately.
>
>
>
> If all is well at this end, but there is still a problem from your
>
> office, then you need to ask about outgoing firewalling there.
>
>
>
> However you resolve the initial problem, the ssh server is very heavily
>
> targeted by the bad guys, using password checking bots. A quick and
>
> dirty security measure is to forward a non-standard high numbered
>
> external TCP port to <laptop>:22 (nearly all routers should be able to
>
> do that) or to forward it to the same port of the laptop, and
>
> reconfigure the ssh server to listen on that port (the Port xxx line(s)
>
> in /etc/sshd_config). Remember to restart the ssh server if you need to
>
> do this.
>
>
>
> Six people will now leap in and say that's not going to improve
>
> security, all the bad guys have to do is run a portscan to find your
>
> server. However, scanning 65,000 ports of the same IP address across
>
> the Internet is no small undertaking, and will certainly attract
>
> attention, and I've never yet seen a bot attempt it. I don't get *any*
>
> connection attempts to my ssh port, while 22 gets 10-100 a day.
>
>
>
> The long-term solution is to disable passwords and use public-private
>
> key pairs for authentication, which is not really difficult, but is
>
> not for a complete beginner, and can certainly not be tried until you
>
> have the system working reliably on passwords. A quick Google for ssh
>
> public key tutorial turns up a vast number of sites to help with this.
>
>
>
> If you need to work from Windows, by the way, the puTTY program is
>
> pretty much the industry standard. There is also a Portable Apps
>
> version of it, which does not write anything to the Windows machine.
>
>
>
> --
>
> Joe
>
>
>
>
>
> --
>
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
> Archive: [🔎] 20121010194427.02ca496d@jretrading.com">http://lists.debian.org/[🔎] 20121010194427.02ca496d@jretrading.com
Reply to: