WRT54G, v24sp1, SSH port forwarding

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
gavinchappell
DD-WRT Novice


Joined: 20 Oct 2008
Posts: 6

PostPosted: Mon Oct 20, 2008 10:23    Post subject: WRT54G, v24sp1, SSH port forwarding Reply with quote
I've got a rev2 WRT54G running with DD-WRT v24SP1, I want to be able to forward the SSH port 22 to a machine inside my LAN. So far I've done the following:

1) Configured dropbear on the router to use port 2222
2) Applied settings
3) Rebooted router
4) Created a NAT rule to forward port 22 to the internal IP address I want to use
5) Applied
6) Rebooted

However, when I SSH to the IP of the router from an external address, ie my work machine, the connection is being made to the router, NOT my LAN machine.

Running ps on the router says I have two instances of dropbear running, both on port 2222, and netstat -an says that I'm currently connected to port 2222 from my work computer, even though I specified port 22 when I made the connection.

It's almost as if there's some internal redirection happening before the NAT rules are processed meaning that my connection on 22 is being redirected to 2222 on the router, is this possible? I can't see anything in iptables -L -v that would suggest this is happening.

Anyone else seen similar behaviour, or have any idea of where to start looking? The workaround is to move SSH on my LAN machine to another port, but I'd rather not do that as it's just easier to have that one on the default port and move the router to an alternative as the router will be used far less...
Sponsor
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Oct 20, 2008 15:26    Post subject: Reply with quote
show me output of

iptables -t nat -L

The redirection could be happening there.
gavinchappell
DD-WRT Novice


Joined: 20 Oct 2008
Posts: 6

PostPosted: Mon Oct 20, 2008 15:45    Post subject: Reply with quote
DNAT tcp -- anywhere wan.ip.address tcp dpt:ssh to:10.128.1.1:2222

Oops, was the first line of the PREROUTING table...

I've run "iptables -t nat -D PREROUTING 1" to clear that rule and SSH is now working to my LAN machine correctly, will this rule come back on a reboot though? As I've seen it mentioned nowhere in the GUI so I'm not sure where it's come from or whether it's a one-off or will recur on reboot.
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Oct 20, 2008 16:10    Post subject: Reply with quote
Glad to help

I dunno, maybe a critter changed it?

Are you sure that your port forwarding rule is pointing the the IP address of your LAN machine and not 10.128.1.1?

Is Remote Management enabled or disabled? Sounds enabled to me, and this could indeed be the problem.
gavinchappell
DD-WRT Novice


Joined: 20 Oct 2008
Posts: 6

PostPosted: Mon Oct 20, 2008 16:37    Post subject: Reply with quote
I'm at home now so I can tinker a bit more without worrying about killing it...

Under Services\Services\Secure Shell, I have it enabled for port 2222.

However, under Administration\Management, it's still set for 22. When my downloads have finished, I'm going to try and reboot the router to see if the NAT rule comes back, and if it does try changing this second value to 2222 as well then reboot again to see if this fixes the NAT rule.

Maybe in future changing one of these values could change both? The only two reasons I can think of for changing the SSH port on the router are:

a) you want to port forward 22 to a LAN machine like I do, and therefore don't want the router intervening

b) for "security by obscurity" you want the router to use a non-default port, in which case you wouldn't want the default port to just forward connections on because that would defeat the object

So while it isn't strictly a bug, it's not much of a feature either IMO Smile
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Oct 20, 2008 16:50    Post subject: Reply with quote
The router is doing exactly as you told it to. You have remote SSH management enabled on port 22. Now whenever something comes in on port 22 it gets redirected to the router's local socket 2222.
gavinchappell
DD-WRT Novice


Joined: 20 Oct 2008
Posts: 6

PostPosted: Mon Oct 20, 2008 16:56    Post subject: Reply with quote
Yeah, all I'm saying is that if I have made the conscious effort to move the port that dropbear listens on in one place, it's obvious what my intentions are (whether for functionality or security) so it should be changed in the other as well?

What if:

1) I change the port in the SSH section to 2222
2) I apply correct firewall rules to port 2222
3) I test these rules to make sure only hosts I allow can connect to 2222
4) Meanwhile, anyone can connect to 22 with no security and just get nicely DNATed to port 2222 (and the NAT would change the originating IP to the router itself, which would be OK?)

Would this not be a method for an attacker to circumvent the firewall I put in place with the intention of protecting the router? Or am I misunderstanding incoming NAT and it doesn't change the original IP like outgoing NAT does?
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Oct 20, 2008 17:12    Post subject: Reply with quote
What is the reason you have changed SSHd to run on port 2222? Are you trying to protect SSHd from internal (LAN) attacks?

If I trust the LAN I would just leave SSHd service on default port 22. Then in remote SSH management use port 2222. This way any attacker scanning on my WAN port 22 will see SSH is not open for business.
gavinchappell
DD-WRT Novice


Joined: 20 Oct 2008
Posts: 6

PostPosted: Mon Oct 20, 2008 17:16    Post subject: Reply with quote
The initial reason was because I want to forward 22, and assumed that a service running locally on the router on 22 would take precedence over a NAT rule. Now it turns out that's not necessarily true, so I may go back to running it on 22 but with the remote management port set to 2222.

I also just realised that I'm talking complete rubbish about incoming NAT, of course it doesn't rewrite the source IP address so most of my assumptions are wrong anyway Smile
soulstace
DD-WRT Guru


Joined: 04 Aug 2007
Posts: 6427

PostPosted: Mon Oct 20, 2008 17:21    Post subject: Reply with quote
That will work. Then you can forward port 22 (or some other port like 2224 for security) to your LAN machine.

Connect to the router's SSH at port 2222
Connect to LAN SSH at port 2224
gavinchappell
DD-WRT Novice


Joined: 20 Oct 2008
Posts: 6

PostPosted: Mon Oct 20, 2008 17:24    Post subject: Reply with quote
I've got the effect I'm after with:

Router SSH set to 22
Router remote management set to 2222
NAT rule for 22 set to forward to internal IP:22

This way, a simple "ssh myip" gives me the LAN machine I'll want 99% of the time, but I can also do "ssh myip -p 2222" to get to the router itself should I need to. I can also just use "ssh internalip" from the LAN and get to the router that way.

All sorted, thanks for your help, and Embarassed for being a NATn00b...Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum