ssh to my computer behind NAT

Rick Sewill rsewill at gmail.com
Tue Mar 9 06:17:08 UTC 2010


On Tue, 2010-03-09 at 00:08 -0600, Rick Sewill wrote: 
> On Tue, 2010-03-09 at 08:40 +0300, Hiisi wrote: 
> > 2010/3/9 Rick Sewill <rsewill at gmail.com>:
> > > On Tue, 2010-03-09 at 00:49 +0300, Hiisi wrote:
> > >> Dear list!
> > >> I would like to be able to ssh to my home computer located behind my
> > >> ISP' NAT. I know, I can tunnel to it through some middle host and
> > >> actually I'm doing it at the moment. But I'm fancy is there a better
> > >> solution? Is there a possibility of not using any computer at the
> > <--SNIP-->
> > >
> > > If it's a company gateway, we mustn't help you defeat their security.
> > >
> > > I don't want to discuss whether having a gateway adds to security.
> > > Personally, I believe all devices in the internal LAN must be secure.
> > > I do not believe security can be done solely at the border of a LAN.
> > >
> > > Do you control the device that is doing NAT for you or does the ISP?
> > > If controlled by the ISP, did the ISP provide a way to configure it?
> > >
> > > As others have said and will say, one needs to have the NAT device
> > > port forward the appropriate port (whatever port you use for ssh)
> > > to your host.
> > >
> > >
> > 
> > You and other, thank for your responses. Sorry I didn't make it clear.
> > I don't have any router. I'm connected to Internet via LAN. My IP
> > address is something like 192.168.3.20 and I use ISP' router IP
> > (192.168.0.1) as a gateway (I don't have any access to the router).
> > So, I decided its called NAT. Am I wrong here? I don't know. I know
> > only that I can't reach my computer from the outside of the LAN. So, I
> > did the following: on the target computer I ran:
> > ssh -R 10002:localhost:22 user at middle.host (it's a computer somewhere
> > and I have ssh access there)
> > Now I can connect to the target computer in a few steps:
> > 1. connect to middle.host:
> > ssh user at middle.host
> > 2. and from there:
> > ssh Hiisi at home.computer -p 10002
> > See, it's not very convenient and I'm not sure whether it's possible
> > to use VNC using this setup (as I would like to).  So, is there any
> > better solution?
> > -- 
> > Hiisi.
> > Registered Linux User #487982. Be counted at: http://counter.li.org/
> > --
> > Spandex is a privilege, not a right.
> 
> Your explanation of a middle host is good.  
> I didn't understand what you were doing, previously.
> 
> Your description of NAT is fine.  Your ISP is doing NAT.
> 
> My first thought is to say, talk to the ISP.
> The ISP should have a way for you to configure their NAT router
> to forward the ssh port to your host.
> 
> I have difficulty thinking why the ISP wouldn't let you configure
> their NAT router to forward the ssh port to your host...unless.
> 
> I hadn't thought of it before, but putting customers behind a NAT
> router, and not letting customers configure the NAT router to 
> forward ports, might be a way to prevent customers running servers.
> 
> Is this what the ISP is trying to do?  Stop customers running servers?
> 
> If a customer wants to run a server, even an ssh server,
> which is what you wish to do, does the ISP wish to charge more money?
> 
> If the ISP is deliberately stopping you, I'd say get another ISP.
> If you can't get another ISP, I don't know what to suggest.
> 

I just thought of another possibility the ISP might be doing.

Are you, and some other customers of the ISP, sharing the same public
IP address?  Doing so would reduce the number of public IP addresses
the ISP would need.  I'd be very, very surprised if an ISP did this.
I'd be more than surprised.  I'd be shocked.





More information about the users mailing list