SSH remote forwarding

Discussion in 'DD-WRT Firmware' started by mk14, May 22, 2007.

  1. mk14

    mk14 Network Guru Member

    I'm trying to set up an SSH forwarding through my WRT54G (v3.1) with DD-WRT v23 SP2.
    The WRT is 192.168.100.21 and it's running SSH with key-based login.

    Local forwarding
    Code:
    ssh -L 8080:localhost:80 root@192.168.100.21 -p 2222
    works just fine (as expected, I get the DD-WRT web interface when I access http://localhost:8080 on my computer).

    But remote forwarding
    Code:
    ssh -R 8080:localhost:80 root@192.168.100.21 -p 2222
    doesn't work - I should get to the webserver my computer is running on port 80 when accessing http://192.168.100.21:8080.

    When I run netstat -a on DD-WRT after connecting through SSH -R, I also can't see anything running on port 8080.

    How can I use remote forwarding with the WRT? Could it be a firewall issue on the WRT?

    EDIT: When I'm sshed into the WRT and run telnet localhost 8080 and then type GET / HTTP/1.0 and hit return twice, I get the HTML code of the start page on my web server. So it seems like DD-WRT's Dropbear doesn't allow other hosts to connect to port forwardings.
     
  2. mk14

    mk14 Network Guru Member

    I was able to solve the problem by having DD-WRT run the following commands on startup (can be set on Administration - Diagnose in the web interface):

    Code:
    killall dropbear
    dropbear -b /tmp/loginprompt -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 2222 -s -a
    This runs dropbear with option "-a Allow connections to forwarded ports from any host".
    Code:
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    iptables -X
    This disables the firewall.

    Now I can connect and the portforwarding works:
    Code:
    ssh -R 192.168.100.21:58080:127.0.0.1:80 root@192.168.100.21 -p 2222
    But it only works if I specify the WRT's external IP (192.168.100.21) in the -R command and use 127.0.0.1 instead of localhost.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice