Remotely ssh into a machine behind LMCE router

[purps]

Have spent a lot of time researching this, and am struggling to sort fact from fiction, so thought I would ask my friends at LMCE.

I can ssh into my core using my no-ip IP address no problem, and I can ssh into my desktop from there (which sits on the internal LMCE network).

What I would like to do is remotely ssh into the desktop directly. I undertand this involves me forwarding ports on the router, but I am struggling to put the theory into context.

Could anybody tell me what I have to do to set this up in web admin, and the ssh command I would have to issue? I think I just need a real example to get my head round this.

Cheers,
Matt.

[purps]

I should have said, the command I thought most likely to be appropriate was...

Code:

ssh -p1234 <MyExternalIP>

...but I wasn't sure where/what port 1234 was, or the correct way to set this/a port up in web admin. This port must relate to my desktop right?

Cheers,
Matt.

[gadget]

I don't believe that the LMCE firewall is capable of doing port forwarding, but essentially you would port forward 1234 to port 22 on the internal machine.  I use shorewall but have not configured it to do port forwarding but think it is possible. The config files are pretty straight forward or you can use webmin to configure it.

[DragonK]

In Theory this should work, but havent tested it yet..

ssh your no-ip on port 10015  then the core will forward port 10015 to port 22 on your desktops IP. In the example the Desktop Ip would be 10.0.0.15.

Webadmin -- Advanced -- Network -- Firewall Rules.

[davegravy]

I don't believe that the LMCE firewall is capable of doing port forwarding, but essentially you would port forward 1234 to port 22 on the internal machine.

Why not? I use port forwarding for RDP to an internal machine all the time.

[purps]

In Theory this should work, but havent tested it yet..

ssh your no-ip on port 10015  then the core will forward port 10015 to port 22 on your desktops IP. In the example the Desktop Ip would be 10.0.0.15.

Webadmin -- Advanced -- Network -- Firewall Rules.

Thanks for this.

Unfortunately my remote machine says "Connection refused". I have ssh-ed into the core, and then ssh-ed into the desktop in question without any problems. Firewall is set up with a port forward as per your example. Have also tried a few different ports.

Any clues?

Cheers,
Matt.

[DragonK]

How does your core access the internet? Via a router?

[purps]

Nope, it's connected directly to the Internet.

But I can ssh into the core, and then ssh into the desktop, so surely the problem isn't there in any event?

Is there perhaps some sort of special ssh permissions on the desktop I need to set, for when it is being ssh-ed into directly?

No idea.

Cheers,
Matt.

[DragonK]

Let me test the theory on my setup, and then I'll get back to you.

[purps]

Thank you, most kind.

I should mention that I was trying to do this from the point of view of sharing a specific window with a friend, who is in a remote location. But I have no confidence that this is even possible (was hoping to do something clever with an X forward). So remote VNC it is.

One tutorial I've looked at mentions running "ssh -L 5900:localhost:5900 <hostname>" on the remote machine before running the VNC viewer - is that command necessary in addition to what we are trying to do, to create a tunnel? I think that port relates to VNC. Or does it relate to tightVNC specifically? Again, I dunno. I will try it out with this port though when I get home.

Cheers,
Matt.

[WhateverFits]

OK, what your "ssh -L..." command does is log into your server using SSH and attempts to open a tunnel for VNC (port 5900) from your localhost to your server's VNC. If you want to forward that over to another system use something like:

ssh -L 5900:OtherSystemRunningVNC:5900 YourLinuxMCEServerHere

That should do it. I'm a little rusty on my ssh command line stuff so this is an educated guess. 

[Sigg3.net]

Not sure what you mean by "sharing a specific window", but you can forward graphical programs using the -X flag.

Code:

# ssh -X user@192.168.80.1
# xeyes

or if it's a KDE-app:

Code:

# dbus-launch NAME_OF_APP

When you're in the comfy chair, you don't want to leave the comfy chair. So I can open firefox to configure stuff

Code:

# ssh -X user@192.168.80.1
# dbus-launch firefox URL_OF_WEBADMIN

aso..

[purps]

OK, the ssh -L thing did work, but it only logs into the LMCE server - I am looking for a way to remotely ssh directly into another machine on my network.

I also tried ssh -p5900 <LMCEserver> again, but to no avail - connection refused. Admin firewall setting is...

tcp   ipv4   5900 to 5900   22   192.168.80.XXX   port_forward

@Sigg3.net - thanks for the suggestion, but an X forward won't cut it unfortunately. I didn't explain myself very well. I want to be able to share a desktop with somebody remotely (hence I'm now frigging with port 5900, as I intend to use VNC).

Any other suggestions?

Cheers,
Matt.

[purps]

I did it (we were nearly right).

Code:

ssh -L 5900:<LMCEserver>:5900 <user>@<othermachine>

Still not quite sure I have understood what I have done... could somebody please educate me? Why is 5900 in there twice? How does this relate to my firewall rule?

Cheers,
Matt.

[WhateverFits]

The first 5900 is for the source and the second is the destination port. Your ssh opens one here and attaches it there. You can map any port to any other port that way. The firewall has no bearing on it since ssh tunnels it over port 23.

I hope that helps.