Linux Security

Protect Your Network With a Bastion Host in Just 3 Steps

Yusuf Limalia 27-12-2017

Do you have machines on your internal network that you need to access from the outside world? Using a bastion host as the gatekeeper to your network may be the solution.


What Is a Bastion Host?

Bastion translates literally into a place that is fortified. In computer terms, it is a machine on your network that can be the gatekeeper for incoming and outgoing connections.

You can set your bastion host as the only machine to accept incoming connections from the internet. Then, in turn, set all other machines on your network, to only receive incoming connections from your bastion host. What benefits does this have?

Over and above everything else, security. The bastion host, as the name implies, can have very tight security. It will be the first line of defense against any intruders and ensure the rest of your machines are protected.

It also makes other parts of your network setup slightly easier. Instead of forwarding ports at the router level, you just need to forward one incoming port to your bastion host. From there, you can branch out to other machines you need access to on your private network. Fear not, this will be covered in the next section.

The Diagram

how to protect home network with bastion host


This is an example of a typical network setup. If you need access to your home network from the outside, you would come in via the internet. Your router will then forward that connection to your bastion host. Once connected to your bastion host, you will be able to access any other machines on your network. Equally, there will be no access to machines other than the bastion host directly from the internet.

Enough procrastination, time to use bastion.

1. Dynamic DNS

The astute among you may have been wondering how would get access to your home router via the internet. Most internet service providers (ISP) assign you a temporary IP address, which changes every so often. ISPs tend to charge extra if you wanted a static IP address. The good news is that modern day routers tend to have dynamic DNS baked into their settings.

Dynamic DNS updates your hostname with your new IP address at set intervals, ensuring that you can always access your home network. There are many providers that offer said service, one of which is No-IP which even has a free tier. Be aware that the free tier will require you to confirm your hostname once every 30 days. It’s just a 10-second process, which they remind to do anyway.


how to protect home network with bastion host

After you’ve signed up, simply create a hostname. Your hostname will have to be unique, and that’s it. If you own a Netgear router, they offer a free dynamic DNS which won’t require a monthly confirmation.

how to protect home network with bastion host

Now login to your router, and look for the dynamic DNS setting. This will differ from router to router, but if you don’t find it lurking under advanced settings, check your manufacturer’s user manual. The four settings you typically need to enter will be:

  1. The provider
  2. Domain name (the hostname you just created)
  3. Login name (the email address used to create your dynamic DNS)
  4. Password

If your router does not have a dynamic DNS setting, No-IP provides software which you can install on your local machine to achieve the same result. This machine will have to be online, in order to keep the dynamic DNS up to date.

2. Port Forwarding or Redirection

The router now needs to know where to forward the incoming connection. It does this based on the port number that is on the incoming connection. A good practice here is to not use the default SSH port, which is 22, for the public facing port.

The reason for not using the default port is because hackers have dedicated port sniffers. These tools constantly check for well-known ports that may be open on your network. Once they find that your router is accepting connections on a default port, they start sending connection requests with common usernames and passwords.

While choosing a random port won’t stop the malignant sniffers altogether, it will drastically reduce the number of requests coming to your router. If your router can only forward the same port, that’s not a problem, as you should be setting your bastion host to use SSH keypair authentication and not usernames and passwords.


A router’s settings should look similar to this:

how to protect home network with bastion host

  1. The service name which can be SSH
  2. Protocol (should be set to TCP)
  3. Public port (should be a high port that isn’t 22, use 52739)
  4. Private IP (the IP of your bastion host)
  5. Private port (the default SSH port, which is 22)

The Bastion

The only thing your bastion will need is SSH. If this was not selected at the time of installation, simply type:

sudo apt install OpenSSH-client
sudo apt install OpenSSH-server

Once SSH is installed, make sure to set your SSH server to authenticate with keys instead of passwords How To Authenticate Over SSH With Keys Instead of Passwords SSH is a great way to gain remote access to your computer. When you open the ports on your router (port 22 to be exact) you can not only access your SSH server from within... Read More . Ensure that your bastion host’s IP is the same as the one set in the port forward rule above.

We can run a quick test to make sure everything is working. To simulate being outside your home network, you can use your smart device as a hotspot How to Use Your Android Phone as a Wireless Router Here's how to turn your Android device into Wi-Fi hotspot and use it as a wireless router for your other devices. Read More while it’s on mobile data. Open a terminal and type, replacing <username> with the username of an account on your bastion host and <dynamicDNSaddress> with the address setup in step A above:

ssh -p 52739 <username>@<dynamicDNSaddress>

If everything was setup correctly, you should now see the terminal window of your bastion host.

3. Tunneling

You can tunnel just about anything through SSH (within reason). For example, if you wanted to get access to an SMB share on your home network from the internet, connect to your bastion host and open a tunnel to the SMB share. Accomplish this sorcery simply by running this command:

ssh -L 15445:<IPAddressOfSMB>:445 -p 52739 <username>@<dynamicDNSAddress>

An actual command would look something like:

ssh - L 15445: -p 52739 

Breaking down this command is easy. This connects to the account on your server through your router’s external SSH port 52739. Any local traffic sent to port 15445 (an arbitrary port) will be sent through the tunnel, then forwarded to the machine with the IP of and the SMB port 445.

If you want to get really clever, we can alias the entire command by typing:

alias sss='ssh - L 15445: -p 52739'

Now all you have to type in terminal in sss, and bob’s your uncle.

how to protect home network with bastion host

Once the connection is made, you can access your SMB share with the address:


how to protect home network with bastion host

This means you will be able to browse that local share from the internet as if you were on the local network. As mentioned, you can pretty much tunnel into anything with SSH. Even Windows machines that have remote desktop enabled can be accessed through an SSH tunnel How to Tunnel Web Traffic with SSH Secure Shell Read More .


This article covered a lot more than just a bastion host, and you’ve done well to make it this far. Having a bastion host will mean that the other devices that have services that are exposed will be protected. It also ensures that you can access these resources from anywhere in the world. Be sure to celebrate with coffee, chocolate or both. The basic steps we’ve covered were:

  • Set up dynamic DNS
  • Forward an external port to an internal port
  • Create a tunnel to access a local resource

Do you need to access local resources from the internet? Do you currently use a VPN to achieve this? Have you used SSH tunnels before?

Image Credit: TopVectors/Depositphotos

Related topics: Linux, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. joe lavery
    December 28, 2017 at 8:08 pm


    * Bastion = place that is fortified
    * Bastion Host = a machine on your network

    maybe start with an ingredient list e.g.: a spare computer, etc...

  2. Tom
    December 28, 2017 at 4:15 pm

    Nice concept, but the article would be completely useless without the first 4 comments.

  3. Thinkman
    December 27, 2017 at 9:57 pm

    i like reading MUO-stories, and i liked this one until i drooped out of it all of a sudden ... i would have awaited any suggestions on what software i could implement a "bastion"!

    this was no good ending! pretty bad!

    • Yusuf Limalia
      December 28, 2017 at 9:11 am

      Hi Thinkman!

      Sorry I'm not sure I understand your question. "What software you could implement a bastion?"

      If you meant what software could sit behind a bastion host. It could be anything. I used an SMB share in my example. But it really depends on your use case.

      Here are some applications with their default ports:
      HTTP server - Port 80
      Windows Remote Desktop - Port 3389
      FTP - Port 21
      MySQL Server - Port 3306

      The good think about using a tunnel is that you could tunnel into almost anything. If my answer was not what you were looking for please let me know, and hopefully i'll be able to clear up what I can!

      • GodSponge
        December 28, 2017 at 1:30 pm

        What hardware and software are used to make this bastion? The only mention of hardware or software is when you wrote about SSH. This doesn't address what we are installing SSH on. Should this be a PC or maybe a Raspberry PI? Also, what OS should be used? This seems like a good use of linux, but there are many variants.

        • Yusuf Limalia
          December 28, 2017 at 2:34 pm

          Well I'm going to give you my favourite answer! It depends....As you've so rightly mentioned there are many variants. Do you have any spare machines lying around? What's your budget for a new one? What's your Linux distro of choice? Are you comfortable in the command line or do you need a GUI? As long as your machine of choice can run Linux and you can install OpenSSH that's more that enough.

          For best results just have a device that has a minimal Linux install. Just install OpenSSH server, avoiding other programs will keep your bastion very secure. I'd suggest making sure the bastion has a wired ethernet connection, preferably gigabit. When it comes to Linux distro the leaner the better. You could try out distributions like Alpine which are super super small. Many Linux distributions have Lite versions which will work well for a bastion, it all just depends on your hardware and other requirements.

          Hope that helps :)

        • Mike
          January 12, 2018 at 10:32 pm

          Whatever PC you have sitting around, at least a Pentium I'd say. Routers and firewalls really don't need much CPU power and the network cards don't need to be much, if any, faster than the Internet download speed.

          I disagree with the article in principle, if they are going to do a bastion host they should put a real firewall like the free version of untangle on it. You get great support from their website and if you throw your hands up in terror you can get a fairly reasonable prebuilt for a decent price.