Blocking SSH, VNC, and other services over WAN but not LAN

Post Reply New Topic

I have an Actiontec T2200H router from my ISP, and I'd like to be able to block certain types of connections over WAN, while still allowing them on local IP addresses. Specifically, I want to be able to SSH or VNC into my desktop from another computer on my network, but I don't want the SSH or VNC server to be available over the Internet. How would I accomplish this? Do I need to set up my own router?

Most home routers like the T2200H only have a firewall / packet filtering / port blocking between the WAN and the LAN. On the LAN (ie, 192.168.1.xxx) side, your only restriction is likely to be the Windows firewall (or other software firewall), if applicable.

I should have clarified, I'm running Manjaro Linux on my desktop and my laptop. I was just thinking though, what if I decide to create my own router, or at least buy one that supports DD-WRT? What would be the most optimal way to set this up for speed and security?

Thinking about this now, a router-based solution would be best, since I do run Windows 7 on my desktop sometimes. I used to use RDP to log into my desktop remotely, but unfortunately I don't know how I'd set that up in such a way that it only works on my local subnet. Also, I want to switch to using VNC since it is platform agnostic.

So, if I may clarify - all of this traffic will be on your local side of the firewall, correct? As in, from one 192.168.1.x address to another? If so, your current router from your ISP will not restrict it.

If you mean connecting to a local 192.168.1.x address from somewhere via the Internet, your router's firewall will need to have ports &/or protocols opened to allow that specific type of traffic in order to connect to the local machine.

I only want these ports to be accessible from my side of the network, and I don't want these ports to be accessible from remote addresses. Since you mentioned that I would have to forward the ports in question to allow remote access, does this mean that my current setup is fine as-is? When I run a GRC ShieldsUp port scan using the "all service ports" option, it passes with flying colors, with all ports stealthed.

"Inside" and "Outside" refer to the two networks on either side of the router's firewall. Your computers are on the inside, the Internet is on the outside.

According to the manual I found online for your router, your assumption is correct. The default settings/functionality are:
- Traffic between systems on the inside are not restricted
- Traffic originating from the outside is blocked on all ports

So I should be safe to set up SSH and VNC servers?

Yes you are, routers call open ports port forwarding, look in your routers settings and if nothing is listed as a forwarded port. You are good but you can also create individual rules between systems with iptables which is available for Linux.

I open some ports via port forwarding but only when I need them and I haven't lately, unless you want a server accessible over the internet then you never need to open any ports via port forwarding. Never setup a server unless you know what your doing, I have had my data accessible over the internet but never without a login and a whitelist. If you don't know ahead of time what IP address you'll be using to access your network over the WAN then don't open yourself up to attacks. Also you can sometimes run servers with active real time disk encryption.

Thanks for all the advice! This should make setting things up on my home network a lot easier.

I found out my router's actually a lesser model, a T1200H instead of a T2200H. They appear to be part of the same family though. Should this affect the quality of its firewall?

I don't know personally,

however...

It shouldn't since routers have kinda had a standard over the last few years so unless its very old then I would imagine its safe. I use the Netgear WNDR4300 and its good security wise, it has some flaws such as WPS which can be exploited to steal wifi but as far as firewall its decent so if you feel like getting a new router, thats an option.

Nice router, it's about as powerful as a basic android tablet. The second digit (from the left) in the name T2200H refers to how many DSL lines it connects to. The T1200H is used for a single DSL line, while the T220H is used to bond two DSL lines for doubled bandwidth. Other than that capability they appear to be hardware and firmware identical.

It's not bad, it's certainly an improvement over previous Telus routers, and it has a surprising number of options under the hood. Of course, I still have to reset it once in a while.

If you can edit the sshd_config file, you should be able to restrict the interfaces on which you can connect. Since you are talking about a router, I don't know if you can do that.

I have a number of servers running OpenBSD. One of the first things I do when setting them up is to configure the sshd_config file to restrict the types of connections one can make to ssh from various sources. For local addresses, the only restriction is in which accounts can be logged into. For connections from outside my network, the list of accounts that can be logged into is greatly reduce and all connections must be done with the use of an RSA key instead of just username and password.

That's very strange. In the previous post I originally had the entire path to the sshd_config file and the braindead bogus security from cloudflare interpreted that as an attack on the server and blocked it. By removing the path and leaving only the file name, it permitted the post.

What kind of s**theads run cloudflare? I would certainly never recommend it to anyone.

Maybe try using code tags. Like so: