How can I allow my computer to receive ssh connections?

joanmanel · 2024-02-01 15:08:23

Hi there,

I know this question might not be 100% related to Archlinux, but since that's the OS I use, I will try my luck here.

I have a computer A connected to the internet, and I want to ssh into this computer A from another computer B, in some other physical place and some other unrelated network. I've done this in the past, but I am struggling to do it now.

The computer A is connected to the internet through a router, which is connected to the internet through a sim card. The router is "dlink dwr 953". The router is connected fine to the internet, and computer A is connected fine to this router, and accessing the internet (I am writing this message from this computer). I haven't modified any of the router configuration (I looked through it but I didn't know what to change).

Computer B is also connected to the network, through a more normal network. From this computer I can ssh into some other remote computers, but not computer A.

Computer A has sshd enabled and started. I haven't modified any of the sshd configuration. From computer A I can ssh into juanma@localhost.

From computerA:

[root@smartpc juanma]# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 04:7c:16:8a:1d:80 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.50/24 brd 192.168.0.255 scope global dynamic noprefixroute enp6s0
       valid_lft 85418sec preferred_lft 85418sec
    inet6 fe80::ecc3:f5a5:d886:b727/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlp13s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:f4:d4:40:82:df brd ff:ff:ff:ff:ff:ff
    inet 10.13.127.85/21 brd 10.13.127.255 scope global dynamic noprefixroute wlp13s0
       valid_lft 13425sec preferred_lft 13425sec
    inet6 fe80::9053:a4c:298:ddf0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

From computer A I can ssh into 192.168.0.50 and also into 10.13.127.85. From computer B I cannot ssh into 10.13.127.85 (I don't know if this is a local IP to be honest. I'm sure the 192 is local).

I went to https://www.whatismyip.com/ and I got my public IP.

From computer A I cannot ssh into the IP displayed there. Also from computer B I cannot ssh into that public IP.

Some other information about ssh

[root@smartpc juanma]# systemctl status sshd.service
● sshd.service - OpenSSH Daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-02-01 14:47:06 GMT; 19min ago
   Main PID: 768 (sshd)
      Tasks: 1 (limit: 153530)
     Memory: 3.0M (peak: 22.2M)
        CPU: 78ms
     CGroup: /system.slice/sshd.service
             └─768 "sshd: /usr/bin/sshd -D [listener] 0 of 10-100 startups"

Feb 01 14:47:06 smartpc systemd[1]: Started OpenSSH Daemon.
Feb 01 14:47:06 smartpc sshd[768]: Server listening on 0.0.0.0 port 22.
Feb 01 14:47:06 smartpc sshd[768]: Server listening on :: port 22.
Feb 01 14:48:00 smartpc sshd[1734]: Accepted password for juanma from ::1 port 48426 ssh2
Feb 01 14:48:00 smartpc sshd[1734]: pam_unix(sshd:session): session opened for user juanma(uid=1000) by juanma(uid=0)
Feb 01 14:48:53 smartpc sshd[1781]: Accepted password for juanma from 10.13.127.85 port 38072 ssh2
Feb 01 14:48:53 smartpc sshd[1781]: pam_unix(sshd:session): session opened for user juanma(uid=1000) by juanma(uid=0)
Feb 01 14:55:09 smartpc sshd[4196]: Connection closed by 192.168.0.50 port 36948 [preauth]

I also tried to change the port from 22 to something else like 99081. This worked locally, but not from the other computer B.

At this stage I don't really know what to do.

seth · 2024-02-01 15:18:49

I don't know if this is a local IP to be honest.

whois 10.13.127.85

will tell you whether it was a mistake to post the IP.

Your WAN IP is the router and you need to forward inbound traffic there, https://en.wikipedia.org/wiki/Network_a … ranslation
This might still not possible if you don't have a real™ WAN IPv4 but your ISP uses IPv4-over-IPv6

joanmanel · 2024-02-01 15:35:44

seth wrote:

I don't know if this is a local IP to be honest.
whois 10.13.127.85
will tell you whether it was a mistake to post the IP.
Your WAN IP is the router and you need to forward inbound traffic there, https://en.wikipedia.org/wiki/Network_a … ranslation
This might still not possible if you don't have a real™ WAN IPv4 but your ISP uses IPv4-over-IPv6

whois 10.13.127.85

I don't know how to interpret the output of this. But this IP is different to the one from "whats my ip".

When I open the router website (http://192.168.0.1/) there in the homepage is says some other IP, this time it is like 10.184.xx.xxx Trying to ssh to it does nothing. Both from computerA and B.

Following a bit from your wikipedia link, I checked the NAT section of the router (under the advanced section). It has something called port trigger, and I added a rule, basically from 22 to 22.

It also has something called virtual server, and I added a rule, from public IP *, public port 22, to private ip 192.168.0.50 and private port 22.

But again, this doesn't seem to do anything.

seth · 2024-02-01 15:53:59

whois wrote:

NetName: PRIVATE-ADDRESS-ABLK-RFC1918-IANA-RESERVED
Comment: These addresses can be used by anyone without any need to coordinate with IANA or an Internet registry.

Safe to say it's a LAN IP…

his time it is like 10.184.xx.xxx

That's not a WAN IP either.

It has something

Please don't paraphrase, https://bbs.archlinux.org/viewtopic.php?id=57855

In doubt link a screenshot, but again: static IPv4 WAN IPs are rare these days and you typically need an entrprise plan w/ your ISP to get one.
Do you have full IPv6 support (the IPs in your output are only https://en.wikipedia.org/wiki/Link-local_address )

joanmanel · 2024-02-01 16:23:49

You can get the manual from the router here: https://media.dlink.eu/support/products … 181003.pdf

All the options I have now are as they come by default.

Screenshoots from my system: https://imgur.com/a/Ndcnm60

I don't know if there's anything else you would like to see that I missed

seth · 2024-02-01 16:35:34

The router is behind an LTE modem, the private 10.84.64.0/24 segment belongs to that modem (your router has the IP 10.84.64.208, the modem is apparently 10.84.64.209?)
Your WAN IP will be listed in the modem only.

You're looking for the virtual server config, idk whether the router would like to see it's own "WAN" IP (10.84.64.208) or the outward WAN IP there, but your modem will probably require some NAT config as well

just4arch · 2024-02-01 17:50:00

Potentially CGNAT, so IPv6 would be the only chance and even then the mobile ISP is likely blocking a lot.
The screenshots show that IPv6 isn't working on the LTE side - maybe you need to enable it in the in the IPv6 tab.

Check with your provider if IPv6 is even available for mobile customers.
They started IPv6 rollout for broadband just recently?

joanmanel · 2024-02-01 18:06:35

I think in my case router and modem are the same. At least it is the same "box".

Why do I need ip6?

seth · 2024-02-01 20:28:37

If it's https://en.wikipedia.org/wiki/Carrier-grade_NAT by any implementation you cannot reach the WAN IPv4 from the internet, you're essentially connected to a LAN router at your ISP that does what you router at home does
Many devices behind your home router get the same "curl ifconfig.io/ip", the router tracks what traffic belongs to what LAN client and distributes them while the outside world seems them all as the same IP.
CGNAT cascades that and the outside world only ever sees your ISPs IP, your ISP then distributes the packages to their client in the "ISP LAN" (and one of those clients is your router which distributes them on)

This happens because the world is running out of IPv4 IPs - IPv6 doesn't have that problem and every client (your PC) gets a unique one that the outside world can contact.

Arch Linux

#1 2024-02-01 15:08:23

How can I allow my computer to receive ssh connections?

#2 2024-02-01 15:18:49

Re: How can I allow my computer to receive ssh connections?

#3 2024-02-01 15:35:44

Re: How can I allow my computer to receive ssh connections?

#4 2024-02-01 15:53:59

Re: How can I allow my computer to receive ssh connections?

#5 2024-02-01 16:23:49

Re: How can I allow my computer to receive ssh connections?

#6 2024-02-01 16:35:34

Re: How can I allow my computer to receive ssh connections?

#7 2024-02-01 17:50:00

Re: How can I allow my computer to receive ssh connections?

#8 2024-02-01 18:06:35

Re: How can I allow my computer to receive ssh connections?

#9 2024-02-01 20:28:37

Re: How can I allow my computer to receive ssh connections?

Board footer