SSH Port Forwarding Notes

Topics (not sure which fora)
when not sure where to post, post here and mods will move it to right forum.
Post Reply
ben53252642
Posts: 500
Joined: Saturday 02 July 2016 5:17
Target OS: Linux
Domoticz version: Beta
Contact:

SSH Port Forwarding Notes

Post by ben53252642 » Wednesday 02 May 2018 13:16

Hey folks,

Posting my notes on SSH port forwarding (I'll definately use these again in the future) but some may find them helpful.

I use SSH port forwarding when I don't have a static IP address or I am behind a carrier grade NAT and want to access a port externally (Domoticz for example) from a static IP. I rent a cheap $5 a month VPS and do an SSH port forward to it essentially giving me the equivalent of a static IP.

Client (the computer at home):

sshportforward.sh (requires: apt-get install sshpass)

Code: Select all

#!/bin/bash
while true; do

# Configuration
localport="443"
remoteport="443"
localip="enterhere" # eg: 192.168.0.8
remoteip="enterhere"
username="enterhere"
password="enterhere"

# Knock secret port combination to access SSH port on remote server (optional and comment disabled by default, you will need to separately setup knockd on the remote server and apt-get install knockd on the client).
#echo "Port knocking..."
#knock "$remoteip" 7629 1209 5372
#sleep 1

# Kill any existing ssh sessions forwarding the remoteport number on the remote server
echo "Killing existing port forwards using $remoteport on remote server"
killcommand=$(echo 'kill $(lsof -t -i:'${remoteport}')')
sshpass -p "$password" ssh -o ConnectTimeout=5 -o ConnectionAttempts=1 -o TCPKeepAlive=yes -o ServerAliveInterval=50 "$username"@"$remoteip" "$killcommand" &> /dev/null

# Establish ssh port forward
echo "Establishing port forward"
sshpass -p "$password" ssh -o ConnectTimeout=5 -o ConnectionAttempts=1 -o TCPKeepAlive=yes -o ServerAliveInterval=50 -R "$remoteip":"$remoteport":"$localip":"$localport" "$username"@"$remoteip"
sleep 2
done
I use another script below to launch portforward.sh and run it in the background:

startportforward.sh (requires: apt-get install screen).

Code: Select all

#!/bin/sh
screen -dmS sshportforward /scripts/sshportforward/sshportforward.sh
Note that on the client you will need to connect to the remote server using ssh, eg: ssh -l root remoteip and accept the certificate before the above script will work.

Server (the cheap remote VPS with a static IP in my case)

1) nano /etc/ssh/sshd_config
Un-comment or add if necessary: GatewayPorts clientspecified
2) apt-get install lsof
3) Save and reboot the VPS

As you can see from the above, there is very little configuration needed on the remote vps.

Optional Knockd on the remote server cloaking the ssh daemon on port 22
1) apt-get install knockd
2) nano /etc/knockd.conf

Code: Select all

[options]
        UseSyslog

[openSSH]
        sequence    = 7629,1209,5372
        seq_timeout = 10
        command     = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 8326,2241,370
        seq_timeout = 10
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
3) nano /etc/default/knockd

Code: Select all

START_KNOCKD=1
KNOCKD_OPTS="-i eth0"
Make sure you change eth0 to the name of the wan interface.

Script to setup a basic iptables firewall with port forwarding examples (consider implementing if using knockd)
1) apt-get install iptables-persistent
firewall.sh

Code: Select all

#!/bin/bash

# Requirements: apt-get install iptables-persistent

# Configuration
wanip="xx.xx.xx.xx" # Enter the wan IP
waninterface="eth0"

# Flushing all existing rules
iptables -F
iptables -X

# Set default filter policy to block all incoming traffic
iptables -P INPUT DROP

# Allow unlimited traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ports examples (uncomment to use)
#iptables -A INPUT -i "$waninterface" -p tcp -d "$wanip" --dport 80 -j ACCEPT # HTTP
#iptables -A INPUT -i "$waninterface" -p tcp -d "$wanip" --dport 443 -j ACCEPT # HTTPS

# Allow all outbound traffic
iptables -I OUTPUT -o "$waninterface" -s "$wanip" -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i "$waninterface" -d "$wanip" -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block all remaining incoming traffic
iptables -A INPUT -j DROP

# Save iptables so they persist if the server is restarted
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
Monit definition for knockd on the remote server
1) apt-get install monit
2) nano /etc/monit/monitrc

Code: Select all

# Knockd
check process knockd matching "knockd"
start program "/etc/init.d/knockd start"
stop program "/etc/init.d/knockd stop"
Script for port knocking from Mac OS X without installing additional software

I use this script in Shimo VPN client to port knock before establishing a VPN connection.

Code: Select all

#!/bin/bash

target="ipaddress"

nc -G 1 -vz "$target" 7629 &> /dev/null &
sleep 0.1
nc -G 1 -vz "$target" 1209 &> /dev/null &
sleep 0.1
nc -G 1 -vz "$target" 5372 &> /dev/null &
Android Apps that support port knocking
This could be useful if you have Domoticz setup with port knocking for external access:
https://play.google.com/store/apps/deta ... ortknocker
This is an OpenVPN client that supports port knocking:
https://play.google.com/store/apps/deta ... eb.openvpn
To setup port knocking in the OpenVPN app, go into "Remote Servers" in the OpenVPN profile in the app, tap on the remote server scroll down and you should see "Enable port knocking", then you just need to fill out your port knocking sequence.

Notes:
1) You will need to read and understand entirely each script making sure that it is suitable for your own environment including security implications.
2) If using knockd on the server, be sure to change the port sequence to something unique (don't use 7629,1209,5372 as that's obviously not secure now that it's posted on this forum).
Last edited by ben53252642 on Friday 04 May 2018 14:16, edited 13 times in total.

MiloshCZ
Posts: 26
Joined: Monday 23 January 2017 18:15
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: SSH Port Forwarding Notes

Post by MiloshCZ » Wednesday 02 May 2018 13:28

Why you dont use VPN connection from home to VPS and routing via iptables? I am using this setup for my server which is connected via 3G mobile modem (no external IP address)

ben53252642
Posts: 500
Joined: Saturday 02 July 2016 5:17
Target OS: Linux
Domoticz version: Beta
Contact:

Re: SSH Port Forwarding Notes

Post by ben53252642 » Wednesday 02 May 2018 13:33

MiloshCZ wrote:
Wednesday 02 May 2018 13:28
Why you dont use VPN connection from home to VPS and routing via iptables? I am using this setup for my server which is connected via 3G mobile modem (no external IP address)
This method is a lot simpler for most use cases and quite suitable for forwarding just one or two ports which is all that I need.

That said I would be interested to see your script / iptables if you can post them?

MiloshCZ
Posts: 26
Joined: Monday 23 January 2017 18:15
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: SSH Port Forwarding Notes

Post by MiloshCZ » Wednesday 02 May 2018 13:42

I am using UFW for firewall nad iptables configuration.
/etc/ufw/before.rules

Code: Select all

# NAT table rules
*nat
:PREROUTING ACCEPT [0:0]
# Port Forwardings
-F
-A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.5.249:8080 -m comment --comment "Domoticz"
192.168.5.249 is VPN IP address of domoticz server (server is VPN client). VPN server runs at VPS with public and static IP address.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests