1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Selectively enabling/disabling HTTP(S) Remote Admin

Discussion in 'Tomato Firmware' started by ooglek, Jul 3, 2008.

  1. ooglek

    ooglek LI Guru Member

    Summary: How do I enable AND start remote web management via SSH without reboot? And then subsequently disable and stop it when I'm done?

    I love Tomato. I run the SSH client on port 22 without IP restrictions, as I only use publickey authentication in order to access the device. Turning on IP authentication is good too, but I found it annoying that I couldn't specify a list of IP addresses, such as 10.10.10.0/23 AND 10.20.30.40 and 10.20.40.0/24, so that I could add more later.

    I'd like to know how I could do the following:
    1. SSH enabled, HTTP management disabled
    2. SSH to Tomato Router, issue "nvram set remote_management=1; nvram commit"
    3. Somehow enable the remote management without rebooting the router

    Sometimes I want to access the web interface, but just to open it for a bit, for security reasons. I do not think triggered port forwarding will work in this case; though I'd be cool to telnet to 3 different external ports from my IP, which would then, after that combination in the right order in a short amount of time, would enable HTTPS management of Tomato for a short time, same as a triggered port forwarding might.

    Everything in /sbin/ seems symlinked to "rc" or "busybox" so I'm sure the answer lies in one of those symlinks, but I'm currently remote and don't want to crash my router. Sure, I can reboot after the nvram command, but I'm sure there is an easy command to issue to start it up. This is Linux, c'mon!

    A feature request is to be able to open SSH up to everyone, but the web only to a list of IPs.

    PS -- heh, right now, I've got an SSH tunnel from my mac to my personal hosted server, then to port 8080 on Tomato, as my personal server is the only IP whitelisted. Gah. Security is fine, but kind of annoying. It'd be fine if I could restrict 8080 to certain IPs, but I want SSH open to all IPs.
     
  2. mstombs

    mstombs Network Guru Member

    I'm pretty sure the remote management options just adjust the iptables netfilter firewall

    Have a look at

    iptables -L -vn -t nat

    and

    iptables -L -vn

    You should see remote connections are allowed in through both PREROUTING and INPUT chains.

    To allow a range of remote IPs to have custom access you can use the firewall script to permanently store what you want.
     
  3. ooglek

    ooglek LI Guru Member

    OK, so I could selectively enable and disable iptables entries, good solution.

    I'm still interested in how, after modifying the nvram turning on the remote admin access via HTTP, to start/enable that access to run. i.e. from the command line, how do I emulate changing "Disabled" to "HTTP" on the Administration page and hit save?
     
  4. ooglek

    ooglek LI Guru Member

    Solving my own issue

    Here's what's worked for me thus far.

    1. SSH to Tomato router
    2. nvram set remote_management=1
    3. nvram set action_service=admin-restart
    4. nvram commit
    5. kill -USR1 1

    This will restart all admin services WITHOUT rebooting your router, and will bring up the web-based management. To shut it down when you are done:

    1. SSH to Tomato router
    2. nvram set remote_management=0
    3. nvram set action_service=admin-restart
    4. nvram commit
    5. kill -USR1 1

    I'm going to post how to restart services from the command line in another post in a minute.
     

Share This Page