1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Global SSH Access restriction

Discussion in 'Tomato Firmware' started by gawd0wns, Jul 30, 2009.

  1. gawd0wns

    gawd0wns LI Guru Member

    Is the "Access restricted to" field in Administration --> Admin Access supposed to work with remote ports, or is this only supposed to work with internal LAN addresses?

    I was not able to connect to my SSH server after granting remote access to SSH on port 1546 and specifying a restriction to a dyndns ip address (somehost.dyndns.org).
    After removing the restriction, it was working again.

    [​IMG]

    Thanks
     
  2. fyellin

    fyellin LI Guru Member

    Is there any possibility that somehost.dyndns.org changed IPs in between the time the router booted and the time you attempted to ssh to the router? I could believe that the ip address is only calculated once, rather than every time an ssh connection is made.

    Given that you're using public key encryption and a non-standard port, I think you're pretty safe even without the access restriction.
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Setting it like that will make it so only connections from somehost.dyndns.org will be accepted for WAN SSH or web GUI (LAN is unaffected). Note that if the ip address of somehost.dyndns.org changes, the new IP address will not be allowed until/unless the router firewall restarts.

    That is how I use the field, and it works great.

    Could you SSH in to your router (from LAN, obviously) and post the output of
    Code:
    iptables -t nat -nvL
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I also just noticed that you have the "Limit connection attempts" checkbox selected.

    I've found that whenever I have that checkbox selected, I can't connect via SSH for quite a while after each reboot (or after I enable it). Sometimes on the order of 10-30 minutes.

    You might try it without that (at least to test), or give it a few hours and try again.
     
  5. jan.n

    jan.n Addicted to LI Member

    Perhaps reverse-lookup of the IP does not resolve to somehost.dyndns.org but to the DNS name your provider gives to you and because of that it's not working?
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It doesn't use reverse DNS lookup. When the rule is added, the DNS name is resolved, and that IP address is used for as long as the rule is in place.
     
  7. gawd0wns

    gawd0wns LI Guru Member

    Yes the ip would have changed, which is why I wanted to try it with dyndns :). Resolving the address only once would definitely explain it. Here I changed the access restriction to google.com:

    Here is the output of iptables -t nat -nvL:

    # iptables -t nat -nvL
    Chain PREROUTING (policy ACCEPT 38 packets, 8513 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP 0 -- vlan1 * 0.0.0.0/0 192.168.1.0/24
    0 0 DNAT icmp -- * * 0.0.0.0/0 my-ip to:192.168.1.1
    0 0 DNAT tcp -- * * 74.125.67.100 my-ip tcp dpt:1546 to:192.168.1.1:22
    0 0 DNAT tcp -- * * 74.125.127.100 my-ip tcp dpt:1546 to:192.168.1.1:22
    0 0 DNAT tcp -- * * 74.125.45.100 my-ip tcp dpt:1546 to:192.168.1.1:22

    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    1 44 MASQUERADE 0 -- * vlan1 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
     
  8. jan.n

    jan.n Addicted to LI Member

    Which rule is added where? :confused:
    IMHO ssh does some checks upon login. For the permitted host to be able to login, it's IP must resolve to the DNS name you provided as "permitted" via the web interface. But your IP is very unlikely to resolve to the dyndns name you use, as it'll resolve to your DNS name in your provider network. Unless dropbear explicitly resolves via dyndns nameservers, if I'm not wrong...

    Ahh, now I understand it - that's not an option to ssh you provide there, it's a firewall rule :) Well, there's no use of putting dyndns names into the firewall rules, as dyndns is very likely to often change over short periods of time.
     
  9. gawd0wns

    gawd0wns LI Guru Member

    Do you think it would be possible to create a firewall rule which uses an ip address stored in an external file? I know this is a very very long shot :)
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think that's possible.

    However, you could just set up an entry on the scheduler page that runs "service firewall restart". That would restart the firewall periodically, and you could just set the frequency based on how long you're willing to wait before the access restriction IP is updated after an IP change.
     
  11. gawd0wns

    gawd0wns LI Guru Member

    Sounds reasonable :)

    Thanks for all the comments.
     

Share This Page