Posted: Mon Oct 20, 2008 10:23 Post subject: WRT54G, v24sp1, SSH port forwarding
I've got a rev2 WRT54G running with DD-WRT v24SP1, I want to be able to forward the SSH port 22 to a machine inside my LAN. So far I've done the following:
1) Configured dropbear on the router to use port 2222
2) Applied settings
3) Rebooted router
4) Created a NAT rule to forward port 22 to the internal IP address I want to use
However, when I SSH to the IP of the router from an external address, ie my work machine, the connection is being made to the router, NOT my LAN machine.
Running ps on the router says I have two instances of dropbear running, both on port 2222, and netstat -an says that I'm currently connected to port 2222 from my work computer, even though I specified port 22 when I made the connection.
It's almost as if there's some internal redirection happening before the NAT rules are processed meaning that my connection on 22 is being redirected to 2222 on the router, is this possible? I can't see anything in iptables -L -v that would suggest this is happening.
Anyone else seen similar behaviour, or have any idea of where to start looking? The workaround is to move SSH on my LAN machine to another port, but I'd rather not do that as it's just easier to have that one on the default port and move the router to an alternative as the router will be used far less...
Oops, was the first line of the PREROUTING table...
I've run "iptables -t nat -D PREROUTING 1" to clear that rule and SSH is now working to my LAN machine correctly, will this rule come back on a reboot though? As I've seen it mentioned nowhere in the GUI so I'm not sure where it's come from or whether it's a one-off or will recur on reboot.
I'm at home now so I can tinker a bit more without worrying about killing it...
Under Services\Services\Secure Shell, I have it enabled for port 2222.
However, under Administration\Management, it's still set for 22. When my downloads have finished, I'm going to try and reboot the router to see if the NAT rule comes back, and if it does try changing this second value to 2222 as well then reboot again to see if this fixes the NAT rule.
Maybe in future changing one of these values could change both? The only two reasons I can think of for changing the SSH port on the router are:
a) you want to port forward 22 to a LAN machine like I do, and therefore don't want the router intervening
b) for "security by obscurity" you want the router to use a non-default port, in which case you wouldn't want the default port to just forward connections on because that would defeat the object
So while it isn't strictly a bug, it's not much of a feature either IMO
Yeah, all I'm saying is that if I have made the conscious effort to move the port that dropbear listens on in one place, it's obvious what my intentions are (whether for functionality or security) so it should be changed in the other as well?
1) I change the port in the SSH section to 2222
2) I apply correct firewall rules to port 2222
3) I test these rules to make sure only hosts I allow can connect to 2222
4) Meanwhile, anyone can connect to 22 with no security and just get nicely DNATed to port 2222 (and the NAT would change the originating IP to the router itself, which would be OK?)
Would this not be a method for an attacker to circumvent the firewall I put in place with the intention of protecting the router? Or am I misunderstanding incoming NAT and it doesn't change the original IP like outgoing NAT does?
What is the reason you have changed SSHd to run on port 2222? Are you trying to protect SSHd from internal (LAN) attacks?
If I trust the LAN I would just leave SSHd service on default port 22. Then in remote SSH management use port 2222. This way any attacker scanning on my WAN port 22 will see SSH is not open for business.
The initial reason was because I want to forward 22, and assumed that a service running locally on the router on 22 would take precedence over a NAT rule. Now it turns out that's not necessarily true, so I may go back to running it on 22 but with the remote management port set to 2222.
I also just realised that I'm talking complete rubbish about incoming NAT, of course it doesn't rewrite the source IP address so most of my assumptions are wrong anyway
Router SSH set to 22
Router remote management set to 2222
NAT rule for 22 set to forward to internal IP:22
This way, a simple "ssh myip" gives me the LAN machine I'll want 99% of the time, but I can also do "ssh myip -p 2222" to get to the router itself should I need to. I can also just use "ssh internalip" from the LAN and get to the router that way.
All sorted, thanks for your help, and for being a NATn00b...