How 2 allow SSH on another port

Discussion in 'Tomato Firmware' started by DomDis, Feb 13, 2018.

  1. DomDis

    DomDis Network Newbie Member

    Hello all I have a couple of linux boxes at how that I'd like to SSH to (from WAN).
    I added a port FWD to 22 to one of my boxes and I am able to SSh to that box.
    I tried adding a port forward for "Both" external 2222 to internal 22 ip (the other box) but that didn't work
    I then tried to reconfigure the other box to run/listen ssh on port 2222 and I added a port forward 2222 to 2222 of the other box and that did not work

    I attempted to look at the logs under basic but there is no info on port forwarding. I went to config and set console logging to 8 (assuming that this is verbose) but still no info on port forwarding in the logs.

    P.S. if I ssh to the 1st box on 22 I can then ssh to the second box via the cmd line ssh user@IP -P 2222

    Also is teh an FAQ on Administration, Logging - I did a search on Administration debugging but I'm not sure the results applied to what was looking ofr
     
  2. eibgrad

    eibgrad Network Guru Member

    It almost sounds to me as if you believe the option "Both" (for protocol) on the port forwarding means multiple port forwards using the same external port, 2222. Which it doesn't. Each port forward has to use a unique external port (e.g., 2222, 2223). I say that because I don't know why anyone would choose "Both" for ssh, since it's strictly tcp, not udp. IOW, "Both" for protocol means creates a port forward for both tcp and udp.

    Would have helped had you provided details on each port forward. Right now I just have to guess.
     
  3. DomDis

    DomDis Network Newbie Member

    I wasn't sure if it was just TCP or just UDP so to be safe I chose both meaning UDP & TCP
    Details I thought I did but let me try to be more specific

    I add a FWD set to ON, proto set to BOTH (didn't know better and maybe a little lazy to look it up), src addr set to MY WORK'S FIREWALL IP, ext port set to 22, int port set to 22, int addr set to IP addr set to the IP of box A, Description set to, SSH to Box A - This box runs SSH server on port 22

    This works and I'm able to SSH to that box from work.

    On BOX B I modified the sshd_conf file to listen on port 2222 . When I'm on box A I can ssh to boc B on port 2222

    I now add a second FWD set to ON, proto set to BOTH (didn't know better and maybe a little lazy to look it up), src addr set to MY WORK'S FIREWALL IP, ext port set to 2222, int port set to 2222, int addr set to IP addr set to the IP of box B, Description set to, SSH to Box B on 2222

    If I try to SSH from work I never get to box B. I'm using putty I enter the IP and change the port to 2222 - Again if I use putty with IP and set to default port of 22 I can connect no problem > - Hope that makes sense
     
  4. eibgrad

    eibgrad Network Guru Member

    Probably the easiest thing to do at this point is dump the relevant iptables chains and see how the port forwards are setup internally, and if they are even being hit (at least the one that's not working).

    Code:
    iptables -t nat -vnL PREROUTING
    iptables -t nat -vnL WANPREROUTING
    iptables -vnL INPUT
    iptables -vnL FORWARD
     
  5. DomDis

    DomDis Network Newbie Member



    root@unknown:/tmp/home/root# iptables -t nat -vnL PREROUTING

    Chain PREROUTING (policy ACCEPT 153 packets, 17931 bytes)
    pkts bytes target prot opt in out source destination
    27 1368 WANPREROUTING all -- * * 0.0.0.0/0 204.xxx.xxx.xxx
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24


    root@unknown:/tmp/home/root# iptables -t nat -vnL WANPREROUTING

    Chain WANPREROUTING (1 references)
    pkts bytes target prot opt in out source destination
    0 0 DNAT icmp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
    0 0 DNAT tcp -- * * 25.xxx.xxx.xxx 0.0.0.0/0 tcp dpt:1022 to:192.168.1.5:1022
    0 0 DNAT udp -- * * 25.xxx.xxx.xxx 0.0.0.0/0 udp dpt:1022 to:192.168.1.5:1022
    1 52 DNAT tcp -- * * 25.xxx.xxx.xxx 0.0.0.0/0 tcp dpt:22 to:192.168.1.2:22
    0 0 DNAT udp -- * * 25.xxx.xxx.xxx 0.0.0.0/0 udp dpt:22 to:192.168.1.2:22
    0 0 DNAT tcp -- * * 25.xxx.xxx.xxx 0.0.0.0/0 tcp dpt:2222 to:192.168.1.5:1022
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8181 to:192.168.1.5:80
    22 1144 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.2:443

    root@unknown:/tmp/home/root# iptables -vnL INPUT

    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    198 24112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    37 3315 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    6 312 ACCEPT tcp -- * * 25.xxx.xxx.xxx 0.0.0.0/0 tcp dpt:8080
    11 2776 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

    root@unknown:/tmp/home/root# iptables -vnL FORWARD

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    12479 11M all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
    0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    3677 445K monitor all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    12368 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    23 1196 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
    88 6315 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    88 6315 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
     
  6. DomDis

    DomDis Network Newbie Member

    What a a Dumb _ _ _ - As I was reviewing the iptable dumps I said to myself 1022 or 2222 isn't even getting to the front door - 0 pkts and then it hit me - I didn't open those ports on my work firewall

    Sorry - I'm sure it will work as soon as I open those port

    Code:
     I was too close to the tree to see the forest 
     
  7. eibgrad

    eibgrad Network Guru Member

    It's a bit risky to use external ports below 1024 given these are the well-known ports. ISPs routinely block many of them. Better to stick w/ much higher numbers, say 8000 and above.

    I also don't see the FORWARD rules for 192.168.1.2 and 192.168.1.5 in the FORWARD chain. Did you edit them out?
     
  8. DomDis

    DomDis Network Newbie Member

    I didn't remove anything I just changed the IPs. Hmmm 22 to 192.168.1.2 works -I'm updating my work firewall to allow ports to go out ...
     
  9. eibgrad

    eibgrad Network Guru Member

    Oops, my bad. I was thinking of dd-wrt. I forgot tomato handles the forwarding in the wanin chain (which itself is called from the FORWARD chain).

    Code:
    iptables -vnL wanin
     
  10. DomDis

    DomDis Network Newbie Member

    Yup it all works 1022->1022 8222->1022 8022->22, my work firewall was blocking it
     
  11. DomDis

    DomDis Network Newbie Member

    Hey quick Off topic question if I may - In tomato is there a "TOP" bandwidth utilizer graph that will show you who is hogging the bandwidth or do you have to look at each individual IP
     
  12. Monk E. Boy

    Monk E. Boy Network Guru Member

    BTW, SSH is TCP-only, it doesn't use UDP.

    There is a bandwidth graph under QoS but it really only works properly if you have QoS enabled, and it isn't geared towards finding the client using the most bandwidth (although the client using the most bandwidth will be in the largest chunk of the piechart, which you can then drill into to see all clients in that category).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice