ssh access from wan[solved]

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
shyjack
Newbie
Newbie
Posts: 5
Joined: Thu Oct 20, 2011 5:09 am

Re: ssh access from wan[solved]

Post by shyjack » Mon Oct 24, 2011 10:41 am

ACCEPT tcp -- wan_ip/wan_mask anywhere tcp dpt:ssh

before I manually ran the iptables, here is the output of "iptables -L"

DROP udp -- anywhere anywhere multiport dports 161,162
DROP tcp -- anywhere anywhere multiple source IP (inv): 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, tcp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:tftp
DROP tcp -- anywhere anywhere multiple source IP (inv): 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, tcp dpt:ftp
DROP tcp -- anywhere anywhere multiple source IP (inv): 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, tcp dpt:www
DROP tcp -- anywhere anywhere multiple source IP (inv): 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, tcp dpt:telnet
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiple source IP: 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere multiple source IP: 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, state NEW tcp dpt:telnet
ACCEPT tcp -- wan_ip/wan_mask anywhere state NEW tcp dpt:www
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
DROP icmp -f anywhere anywhere
DROP all -- anywhere anywhere

I think the problem here is DROP showed first and then ACCEPT,
I manually ran below
iptables -I INPUT -p tcp -s [wan_ip] --dport 22 -j ACCEPT

Now the out was
ACCEPT tcp -- wan_ip/wan_mask anywhere tcp dpt:ssh
DROP udp -- anywhere anywhere multiport dports 161,162
DROP tcp -- anywhere anywhere multiple source IP (inv): 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, tcp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:tftp
DROP tcp -- anywhere anywhere multiple source IP (inv): 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, tcp dpt:ftp
DROP tcp -- anywhere anywhere multiple source IP (inv): 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, tcp dpt:www
DROP tcp -- anywhere anywhere multiple source IP (inv): 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, tcp dpt:telnet
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiple source IP: 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere multiple source IP: 192.168.1.29,wan_ip1,192.168.1.2,wan_ip2, state NEW tcp dpt:telnet
ACCEPT tcp -- wan_ip/wan_mask anywhere state NEW tcp dpt:www
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
DROP icmp -f anywhere anywhere
DROP all -- anywhere anywhere

Now I am able to ssh from office into my home router, can anyone please kindly advise how to make this setting permanent?
I assume I need to write this into the bootloader environment variable? but question is how?

I checked /proc/sys/dev/adam2/environment but it doesn't contain the commands that tiepolo wrote
/var # cat /proc/sys/dev/adam2/environment
memsize 0x01000000
flashsize 0x00400000
modetty0 38400,n,8,1,hw
modetty1 38400,n,8,1,hw
bootserport tty0
cpufrequency 150000000
sysfrequency 125000000
bootloaderVersion 0.22.02
Adam2_Release 0.22.02_b04_Jul 27 2004
ProductID AR7RD
HWRevision Unknown
SerialNumber none
my_ipaddress 192.168.1.199
prompt Adam2_AR7RD
firstfreeaddress 0x9401d888
req_fullrate_freq 125000000
maca 00:15:e9:ca:8f:93
mtd0 0x90090000,0x903f0000
mtd1 0x90010090,0x90090000
mtd2 0x90000000,0x90010000
mtd3 0x903f0000,0x90400000
autoload 1
usb_vid 0x0
usb_pid 0x0
usb_man N/A
usb_prod N/A
mtd4 0x90010000,0x903f0000
vcc_encaps0 0.0
vcc_encaps1 0.0
vcc_encaps2 0.0
vcc_encaps3 0.0
vcc_encaps4 0.0
vcc_encaps5 0.0
vcc_encaps6 0.0
vcc_encaps7 0.0
autoload_timeout 15
StaticBuffer 120
mac_ap 00:15:e9:ca:8f:94
modulation 0x1
connection1 0x30ca

dropbear_timeout 0
/var #

Thanks in advance.

note: I had already posted above once but I didn't see it, so I guess I forgot to submit, if I double post, whoever has access, please delete one of them.

Edit: edited by thechief to remove IP address.
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: ssh access from wan[solved]

Post by thechief » Mon Oct 24, 2011 1:41 pm

The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
Post Reply