Do you have machines on your internal network that you need to access from the outside world? Using a bastion host as the gatekeeper to your network may be the solution.

What Is a Bastion Host?

Bastion translates literally into a place that is fortified. In computer terms, it is a machine on your network that can be the gatekeeper for incoming and outgoing connections.

You can set your bastion host as the only machine to accept incoming connections from the internet. Then, in turn, set all other machines on your network, to only receive incoming connections from your bastion host. What benefits does this have?

Over and above everything else, security. The bastion host, as the name implies, can have very tight security. It will be the first line of defense against any intruders and ensure the rest of your machines are protected.

It also makes other parts of your network setup slightly easier. Instead of forwarding ports at the router level, you just need to forward one incoming port to your bastion host. From there, you can branch out to other machines you need access to on your private network. Fear not, this will be covered in the next section.

The Diagram

how to protect home network with bastion host

This is an example of a typical network setup. If you need access to your home network from the outside, you would come in via the internet. Your router will then forward that connection to your bastion host. Once connected to your bastion host, you will be able to access any other machines on your network. Equally, there will be no access to machines other than the bastion host directly from the internet.

Enough procrastination, time to use bastion.

1. Dynamic DNS

The astute among you may have been wondering how would get access to your home router via the internet. Most internet service providers (ISP) assign you a temporary IP address, which changes every so often. ISPs tend to charge extra if you wanted a static IP address. The good news is that modern day routers tend to have dynamic DNS baked into their settings.

Dynamic DNS updates your hostname with your new IP address at set intervals, ensuring that you can always access your home network. There are many providers that offer said service, one of which is No-IP which even has a free tier. Be aware that the free tier will require you to confirm your hostname once every 30 days. It's just a 10-second process, which they remind to do anyway.

how to protect home network with bastion host

After you've signed up, simply create a hostname. Your hostname will have to be unique, and that's it. If you own a Netgear router, they offer a free dynamic DNS which won't require a monthly confirmation.

how to protect home network with bastion host

Now login to your router, and look for the dynamic DNS setting. This will differ from router to router, but if you don't find it lurking under advanced settings, check your manufacturer's user manual. The four settings you typically need to enter will be:

  1. The provider
  2. Domain name (the hostname you just created)
  3. Login name (the email address used to create your dynamic DNS)
  4. Password

If your router does not have a dynamic DNS setting, No-IP provides software which you can install on your local machine to achieve the same result. This machine will have to be online, in order to keep the dynamic DNS up to date.

2. Port Forwarding or Redirection

The router now needs to know where to forward the incoming connection. It does this based on the port number that is on the incoming connection. A good practice here is to not use the default SSH port, which is 22, for the public facing port.

The reason for not using the default port is because hackers have dedicated port sniffers. These tools constantly check for well-known ports that may be open on your network. Once they find that your router is accepting connections on a default port, they start sending connection requests with common usernames and passwords.

While choosing a random port won't stop the malignant sniffers altogether, it will drastically reduce the number of requests coming to your router. If your router can only forward the same port, that's not a problem, as you should be setting your bastion host to use SSH keypair authentication and not usernames and passwords.

A router's settings should look similar to this:

how to protect home network with bastion host
  1. The service name which can be SSH
  2. Protocol (should be set to TCP)
  3. Public port (should be a high port that isn't 22, use 52739)
  4. Private IP (the IP of your bastion host)
  5. Private port (the default SSH port, which is 22)

The Bastion

The only thing your bastion will need is SSH. If this was not selected at the time of installation, simply type:

        sudo apt install OpenSSH-client
sudo apt install OpenSSH-server

Once SSH is installed, make sure to set your SSH server to authenticate with keys instead of passwords. Ensure that your bastion host's IP is the same as the one set in the port forward rule above.

We can run a quick test to make sure everything is working. To simulate being outside your home network, you can use your smart device as a hotspot while it's on mobile data. Open a terminal and type, replacing <username> with the username of an account on your bastion host and <dynamicDNSaddress> with the address setup in step A above:

        ssh -p 52739 <username>@<dynamicDNSaddress>
    

If everything was setup correctly, you should now see the terminal window of your bastion host.

3. Tunneling

You can tunnel just about anything through SSH (within reason). For example, if you wanted to get access to an SMB share on your home network from the internet, connect to your bastion host and open a tunnel to the SMB share. Accomplish this sorcery simply by running this command:

        ssh -L 15445:<IPAddressOfSMB>:445 -p 52739 <username>@<dynamicDNSAddress>
    

An actual command would look something like:

        ssh - L 15445:10.1.2.250:445 -p 52739 yusuf@makeuseof.ddns.net 
    

Breaking down this command is easy. This connects to the account on your server through your router's external SSH port 52739. Any local traffic sent to port 15445 (an arbitrary port) will be sent through the tunnel, then forwarded to the machine with the IP of 10.1.2.250 and the SMB port 445.

If you want to get really clever, we can alias the entire command by typing:

        alias sss='ssh - L 15445:10.1.2.250:445 -p 52739 yusuf@makeuseof.ddns.net'
    

Now all you have to type in terminal in sss, and bob's your uncle.

how to protect home network with bastion host

Once the connection is made, you can access your SMB share with the address:

        smb://localhost:15445
how to protect home network with bastion host

This means you will be able to browse that local share from the internet as if you were on the local network. As mentioned, you can pretty much tunnel into anything with SSH. Even Windows machines that have remote desktop enabled can be accessed through an SSH tunnel.

Recap

This article covered a lot more than just a bastion host, and you've done well to make it this far. Having a bastion host will mean that the other devices that have services that are exposed will be protected. It also ensures that you can access these resources from anywhere in the world. Be sure to celebrate with coffee, chocolate or both. The basic steps we've covered were:

  • Set up dynamic DNS
  • Forward an external port to an internal port
  • Create a tunnel to access a local resource

Do you need to access local resources from the internet? Do you currently use a VPN to achieve this? Have you used SSH tunnels before?

Image Credit: TopVectors/Depositphotos