ssh access from wan[solved]

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
pierissimo
Novice
Novice
Posts: 15
Joined: Thu Jul 10, 2008 6:47 pm
Contact:

ssh access from wan[solved]

Post by pierissimo » Tue Jul 07, 2009 1:36 pm

Hi guys!!!
I just installed 2.9 release of routertech firmware.
The problem is that i'm not able to ssh my router from wan.
In the previous release i found a workaround, that was

Code: Select all

setenv ip3.sh ";/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT"
setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" 
This code no longer works....

ps. In "Access Control" section i marked "ssh" from wan, but this tool seems that it has never worked..

thanx!!!
Last edited by pierissimo on Tue Jul 07, 2009 9:28 pm, edited 1 time in total.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Tue Jul 07, 2009 4:31 pm

Hi,

This has always worked for me from the GUI - I enable only my fixed IP work computer, and use ddns IP. I can't think of a change in RT2.9 that would cause this change - are you sure you have the WAN IP correct?

To investigate further please advise exactly which version of firmware and the output of

Code: Select all

iptables -vnL
iptables -vnL -t nat
I do not see what iptables "FORWARD" can have to do with this!
tiepolo
Experienced
Experienced
Posts: 162
Joined: Sat Mar 03, 2007 10:10 pm
Location: milan, Italy

Post by tiepolo » Tue Jul 07, 2009 5:02 pm

hello,

I can confirm you that the FORWARD line is useless;
I have dropbear working and accessible on 2.9 with those 2 instructions in /proc/sys/dev/adam2/environment :

ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
ip4.sh ;/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 2222 -j ACCEPT

I opened port 2222 a dropbear session;

the instruction you gave from ssh (setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" ) should work in order to write the correct line in the environment file - did you reboot the router? new environment is changed only after reboot.
Paolo
pierissimo
Novice
Novice
Posts: 15
Joined: Thu Jul 10, 2008 6:47 pm
Contact:

Post by pierissimo » Tue Jul 07, 2009 5:29 pm

tiepolo wrote:hello,

I can confirm you that the FORWARD line is useless;
I have dropbear working and accessible on 2.9 with those 2 instructions in /proc/sys/dev/adam2/environment :

ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
ip4.sh ;/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 2222 -j ACCEPT

I opened port 2222 a dropbear session;

the instruction you gave from ssh (setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" ) should work in order to write the correct line in the environment file - did you reboot the router? new environment is changed only after reboot.
ok i'll give a look to
ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
command...
pierissimo
Novice
Novice
Posts: 15
Joined: Thu Jul 10, 2008 6:47 pm
Contact:

Post by pierissimo » Tue Jul 07, 2009 7:46 pm

pierissimo wrote:
tiepolo wrote:hello,

I can confirm you that the FORWARD line is useless;
I have dropbear working and accessible on 2.9 with those 2 instructions in /proc/sys/dev/adam2/environment :

ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
ip4.sh ;/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 2222 -j ACCEPT

I opened port 2222 a dropbear session;

the instruction you gave from ssh (setenv ip4.sh ";/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT" ) should work in order to write the correct line in the environment file - did you reboot the router? new environment is changed only after reboot.
ok i'll give a look to
ip1.sh ;/usr/sbin/dropbear -i -a -p 2222
command...
sorry but I do not want to change sshd port....
cat /proc/sys/dev/adam2/environment return:

ip3.sh ;/sbin/iptables -I FORWARD -i ppp0 -p tcp --dport 22 -j ACCEPT
ip4.sh ;/sbin/iptables -I INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT

It looks good... but if I try to connect to my no-ip router address it timeout...
tiepolo
Experienced
Experienced
Posts: 162
Joined: Sat Mar 03, 2007 10:10 pm
Location: milan, Italy

Post by tiepolo » Tue Jul 07, 2009 7:51 pm

can you please describe your network?
who's your internet access provider? does it use a firewall?
did you reboot after chenging environment?
the port doesn't need to be changed, it was an example.
Paolo
pierissimo
Novice
Novice
Posts: 15
Joined: Thu Jul 10, 2008 6:47 pm
Contact:

Post by pierissimo » Tue Jul 07, 2009 7:55 pm

tiepolo wrote:can you please describe your network?
who's your internet access provider? does it use a firewall?
did you reboot after chenging environment?
the port doesn't need to be changed, it was an example.
well.. my italian provider is tele2, It does not provides a firewall i think...
yes I rebooted after giving the command!!
pierissimo
Novice
Novice
Posts: 15
Joined: Thu Jul 10, 2008 6:47 pm
Contact:

Post by pierissimo » Tue Jul 07, 2009 8:07 pm

With the 2.7v modded by darkwolf, ssh session worked fine...
Now i flashed my dlink g604t router with 2.9v and no longer works!
pierissimo
Novice
Novice
Posts: 15
Joined: Thu Jul 10, 2008 6:47 pm
Contact:

Post by pierissimo » Tue Jul 07, 2009 9:27 pm

ok solved... the problem was not the sshd server, but the no-ip client... i marked
"Use Group Name" that gave me problems...
sorry!
thanx
User avatar
rokafeller
Regular
Regular
Posts: 71
Joined: Wed Jul 22, 2009 8:57 pm
Location: Italy

Post by rokafeller » Thu Jul 30, 2009 9:28 am

what do you exactly mean with no-ip client?
I have the same issue (no ssh connection over wan). Could you please elaborate a bit more about how you solved it?

thanx a lot
daniele
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Post by mstombs » Thu Jul 30, 2009 10:44 pm

I think pierissimo meant that the ddns client in the software failed to update the WAN IP address, so connecting with router@no-ip.org didn't work - if not updated he won't have been trying to connect to the correct router!
Supermanglide
Newbie
Newbie
Posts: 2
Joined: Wed Aug 10, 2011 8:55 am

Re: ssh access from wan[solved]

Post by Supermanglide » Wed Aug 10, 2011 9:04 am

With the 2.7v modded by darkwolf, ssh session worked fine...
Now i flashed my dlink g604t router with 2.9v and no extended works!

[Edit: SPAM signature removed by thechief]
shyjack
Newbie
Newbie
Posts: 5
Joined: Thu Oct 20, 2011 5:09 am

Re: ssh access from wan[solved]

Post by shyjack » Sat Oct 22, 2011 12:37 am

Hi I got the same problem.

Just flashed my dlink G604T with 2.96 firmware and everything worked fine except wan ssh/telnet.

I got a static IP from isp and I accessed the modem from a static IP as well. but for some reason it just didn't work.

Advance->Access Control
Enable Access Control ticked
WAN: telnet/ssh ticked.
LAN group 1: telnet/web/ftp/ssh ticked
IP Access List: 4 internal IP addresses from LAN and 2 external IP addresses from office.

I also enabled Advance->Remote Web Access.

pretty sure I got the correct office IP, correct WAN IP (isp allocated static IP), I can open the remote web admin page from within the office, but ssh/telnet from office just hangs.

I had searched the forum but found nothing related, did I miss anything?

thanks
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: ssh access from wan[solved]

Post by thechief » Sat Oct 22, 2011 4:46 pm

If all else fails, use VPN. RT firmwares now support OpenVPN and pptp-based VPNs.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
shyjack
Newbie
Newbie
Posts: 5
Joined: Thu Oct 20, 2011 5:09 am

Re: ssh access from wan[solved]

Post by shyjack » Sun Oct 23, 2011 10:39 pm

Thanks for answering but that is not a solution to me.

I might don't have vpn client on some my devices thus I still prefer a thin ssh client which does exactly what I need.

I might play with iptables command to get through wan ssh, but I'd definitely like to archive this all through the web gui and also make this setting permanent.

As such a wonderful firmware, I thought the wan ssh/telnet is a very standard setting, and indeed from web gui, the setting is so straightforward, though it is not working under some circumstances, that is why we need to find out the reason, fix it and improve this firmware.

But I have to say this routertech firmware is so fantastic and thanks to so many people are contributing to this.
Post Reply