Thursday, August 13, 2015

Open inbound port on Windows 7, howto

Let's say you wish to open up a port (i.e., a local, inbound port) for the use of (i.e., to be served by) some program running on your Windows 7 (Home Premium SP1) computer. If installing the program didn't automatically result in opening up that port, here's how to do so.

For security reasons, you should limit the usage of an inbound local port to just the single receiving program. Plus in many cases you should configure that program not to use its standard port number (if possible). Instead, pick a number between 1024 and 49151 (inclusive and random) to be your inbound local port number.


First identify what Windows 7 calls your router's 'Network Location'. (Later we'll need this.) Here's how to do it:
  1. In Control Panel, click 'Network and Sharing Center'.
  2. Under the words 'View your active networks', identify (of your active routers) which is the appropriate one. (Most people only have one active router.)
  3. Find and click the text you see, immediately under that active router. Then
  4. Observe which Network Location is selected (i.e., surrounded by a dotted box).
  5. You should decide (if you haven't already) whether this router is best considered as providing:
    • A Home Network (a private network);
    • A Work Network (in a corporate domain); or
    • A Public Network.
    As it happens, my wireless router is provided by my landlord, so I categorize it as an unsafe Public Network. And that's its Network Location.

Then set up Windows Firewall to allow your desired inbound connection to the receiving program. (You'll need to be an Administrator for this.) Here's how:
  1. In Control Panel, click 'Windows Firewall'.
  2. Click 'Advanced Settings'—this takes you to 'Windows Firewall with Advanced Security'.
  3. Click 'Inbound Rules'.
  4. Click 'New Rule'.
  5. Select 'Port' and click 'Next'.
  6. Ensure 'TCP' is selected.
  7. Ensure 'Specific local ports' is selected.
  8. Enter your local inbound port number and click 'Next'.
  9. Ensure 'Allow the Connection' is selected, and click 'Next'.
  10. For 'When does this rule apply?', ensure that the box by your router's Network Location (see above) is checked (but no other Network Locations are), and click 'Next'.
  11. Under the word 'Name', enter the name of the receiving program, then a word (or an abbreviation) indicating (to you) the port's purpose (or functionality), the words 'In' and 'Port', and the port number (all five concatenated together). Click 'Finish'. (Later, this naming scheme will ease finding this rule, if necessary.)
  12. Click 'Refresh'.
  13. Right-click your new rule and select 'Properties'.
  14. Click the 'Advanced' tab.
  15. If you need this local inbound port to be accessible merely from other computers within your LAN, then:
    • Under 'Edge traversal', ensure 'Block edge traversal' is selected. This prevents computers outside your LAN from initiating contact with this inbound port on your computer (at least, through this Windows Firewall 'Action: Allow' rule).
    Otherwise, to allow inbound access to this local port from computers outside your LAN:
    • Under 'Edge traversal', unselect 'Block edge traversal'.
  16. Click the 'Programs and Services' tab.
  17. Select 'This program'.
  18. Enter the path to your receiving program and click 'OK'.
Copyright (c) 2015 Mark D. Blackwell.

Wednesday, August 12, 2015

SSH to guest Debian stretch on a VirtualBox Windows 7 host from LAN, howto

Suppose you have a virtual machine (or VM), in which you have installed a guest operating system: e.g., Debian stretch. And, it's running under a (physical) Windows 7 (Home Premium SP1) host operating system (by means of Oracle's VirtualBox software developed by wholly-owned Innotek GmbH).

You might wish to access that Debian guest from another box on your host's LAN. Here's how to do so with SSH. (If you're on Windows, you can do this IMO most enjoyably from Git Bash or Cygwin, although SSHing more directly from Windows is also possible.)

These instructions should work just as well with Debian's jessie or wheezy releases (in all likelihood). One caveat: Debian normally disallows SSH access as root. Instead, log in as a regular user and do 'sudo' (or 'su') if you wish to be root.


In your guest Debian operating system, install the software to accept your inbound SSH connection:
sudo apt-get install openssh-server

I. For the desired VM, adjust its VirtualBox settings:
  1. Choose network type NAT.
  2. Forward some inbound port on the host to inbound port 22 on the guest.
Here are the details on how to accomplish this:
  1. To provide an additional layer of security, pick a number between 1024 and 49151 (inclusive and random) to be the inbound local port ('host port') on your physical VirtualBox host.
  2. In VirtualBox Manager, select your desired VM (it can be running).
  3. In the VirtualBox Manager menu, click Machine–Settings–Network.
  4. Ensure the 'Adapter 1' tab is selected.
  5. Ensure 'Enable Network Adapter' is checked.
  6. You'll see the words 'Attached to'. There, select 'NAT'.
  7. Ensure that the blue, drop-down arrow by the word 'Advanced' has dropped down to show you the advanced settings.
  8. Click the 'Port Forwarding' button.
  9. Click the green icon, bearing a plus sign, whose tooltip is 'Adds new port forwarding rule'.
  10. Find and select the newly-created row.
  11. In the 'Name' column, type 'guestssh'.
  12. Ensure 'Protocol' is 'TCP'.
  13. In the 'Host Port' column, type your inbound local port.
  14. In the 'Guest Port' column, type '22'.
II. Set up Windows Firewall to allow the desired SSH connection, by following the steps in this post to create the new firewall rule. In particular:
  • Name it 'VirtualBoxSSHInPort' followed by the port number.
  • Under 'Edge traversal', ensure 'Block edge traversal' is selected.
  • For the path to the receiving program, use the path to the VirtualBox executable (on your host system).
III. Determine the Internet Protocol (IP) address of your VirtualBox host as viewed by its active router. Here's how:
  1. In your VirtualBox host's system tray, click the icon of the active router.
  2. Make sure the drop-down arrow by the words 'Wireless Network Connection' is selected, so you see a list of routers.
  3. Find the name of your active router in the list.
  4. Right-click that name.
  5. Click on 'Status'.
  6. Click the 'Details' button.
  7. In the 'Property' column, find the words 'IPv4 Address'.
  8. Read across to the 'Value' column.
  9. Note its four, dot-separated numbers. That's the IP address of your VirtualBox host, in the LAN provided by its active router. And for your SSH connection command it will be your target IP address.
In order to allow SSH connections to your VirtualBox guest, the VirtualBox software does Network Address Translation (NAT). So, BTW, your VirtualBox guest will report that you are logged in from some other LAN (with another IP address), not from your active router's LAN. The foreign port number will be different, as well.

IV. Now you can test the availability of your inbound SSH connection.

By default, to log in, SSH detects your local username and tries to use it.

Typical Windows usernames begin with a capital letter, yet typical GNU/Linux usernames begin with a lower-case letter. Therefore SSH's default username likely will fail. So instead (from Windows), the SSH command to access your VirtualBox VM is:
$ ssh {lowercase username}@{target IP address} -p {host port}
Since my name (and Windows username) is Mark, I enter:
$ ssh mark@{target IP address} -p {host port}
Alternatively, instead of logging in, you can run a single command (per these tutorials) and retrieve its output to your local, non-SSH computer—e.g.:
$ ssh mark@{target IP address} -p {host port} cat some-file > here
Or, you can use SCP.

Copyright (c) 2015 Mark D. Blackwell.