Port Forwarding on a router to a dynamic IP running Linux

I've set my Dad up with a Linux Mint PC (he's a novice and it's the safest thing).

I would like to be able to SSH into this PC at any time (that it's on) to allow updates, configs, etc.

This PC is setup with dynamic IP, which I would like to keep.

It's behind an ADSL router with UPnP turned on.

My idea was to install No-IP to allow me to get the IP address, then use UPnP to allow the PC to open an incomming SSH port on the router.

Unfortunately, I cannot find a way to do the last bit. I have the No-IP bit working, but how do I get the Linux PC to tell the router to forward port 22 to it's dynamic IP?

Thanks,

Marty

wkdmarty

Posted 2014-03-13T13:26:44.110

Reputation: 555

This is offtopic here, since it's not professional server administration. Either way, just set up a static forwarding rule on your router, and you're done. – mulaz – 2014-03-13T13:29:16.340

Don't get me started about "offtopic"!!! I asked this question elswhere in stack overflow and the "gods" so they wish to be known, HELD my question and TOLD ME TO POST HERE!! I could do a static forward, but I don't want to , the PC has DHCP'd IP, so I can't static forward! – None – 2014-03-13T13:31:20.943

It's off-topic, and other sites were wrong to send you here. Also, you can give the PC a static address even with DHCP, and then do a static forwarding.

– Sven – 2014-03-13T13:33:15.413

You can set up static DHCP also. Or a static IP on the computer. http://serverfault.com/help/on-topic - check the bolded line.

– mulaz – 2014-03-13T13:33:18.777

Yes, I could setup static IP through DHCP if I had access to the router, which at this point I don't, hence why I want it done UPnP on dynamic. – None – 2014-03-13T13:35:52.553

And being told this is the wrong place to post adds insult to injury. It's like trying to get your adsl fixed if you're on eclipse with a BT line. Both sides just pass the buck. – None – 2014-03-13T13:36:51.497

Honestly we're trying to help you. We deal with professional equipment here. Superuser deals much more frequently with home equipment, and they'll be able to give you a better answer. As with all SE sites, do yourself a favor and read the help page before posting to ensure that your question is on topic. – EEAA – 2014-03-13T13:39:27.410

My apologies, I'm so frustrated. Think I'll give up. I'll leave SE to you guys. – None – 2014-03-13T13:41:54.050

Answers

Have your router assign a static ip to your dad: that being said, have it check for your dad's MAC address and when found assign him the same single ip from the dhcp pool everytime he connects. Then you can do your static ssh forward. I've used this for years, no problems unless they change the mac address - not likely to happen in your case.

Horatiu

Posted 2014-03-13T13:26:44.110

Reputation: 104

I would prefer to do it without a static IP. – wkdmarty – 2014-03-13T15:14:39.120

Why, @wkdmarty? Clearly, this is the very best solution. – Daniel B – 2014-03-13T15:36:09.393

Because I won't have access to the router, but I will have access to the PC. – wkdmarty – 2014-03-13T15:44:57.123

what i suggested has zero impact on you being able to access the router. that being said, if you can access it now, you will be able to access it just fine after you do this. Be it an embedded device or a linux box, pfsense or anything else, it makes no difference.

What i think you mean is that port 22 on the router will be forwarded to your dad's pc. well who said you need to forward port 22 ? you can forward port 2022 or anything really. that way you can keep 22 on the router pointing to the router's openssh process and port <pick_one> pointing to your dad's ssh port. – Horatiu – 2014-03-13T15:53:20.727

iptables -t nat -I PREROUTING -d <router_ip> -p tcp --dport 2022 -j DNAT --to-destination <DAD_IP>:22 that's an iptables example. forwarding router:2022 to dad:22 using dnat. adapt to your needs as required. – Horatiu – 2014-03-13T15:55:44.307

wkdmarty, this answer is the correct answer. I'm not sure what you mean about won't have access to the router but will the PC. Once configured you don't need access to the router. Otherwise there's no way to remotely find where his PC has moved itself to. The PC still uses DHCP but it just is always given the same IP. – Tony Maro – 2014-03-13T16:27:59.680

That will be specific to the software running on the router - and you didn't tell us what that is. If it has an HTTP[S] front end then you could use (for example) Perl + http::recorder to generate a manual interaction then amend the script to inject the IP address and replay it with www::mechanize.

But....thinking about this....why not just leave the forwarding in place and use a conventional method for restricting ssh access such as port knocking or fail2ban.

Looking at the comments, it seems to be the last hop which is the issue - from router to the address assigned by the router to the desktop - as stated by others....it's trivial to lockdown a MAC address to a specific IP in every SOHO router I've ever come across - you only need to do this once.

symcbean

Posted 2014-03-13T13:26:44.110

Reputation: 273

@wkdmarty They're all different, so you will have to be specific to what model of router it is. – Michael Hampton – 2014-03-13T13:50:35.223

Good question, off the top of my head, it's either linksys or belkin I think. – wkdmarty – 2014-03-13T14:40:37.790