Topic: external ssh access in 8.09 & /etc/config/firewall

The content of this topic has been archived on 29 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Jurriaan

27 Apr 2009, 20:46

I notice the new /etc/config/firewall has no example anymore to allow external ssh access. Searching this forum, the wiki or the internet didn't help me find a solution, or a clear example of how this /etc/config/firewall is set up.

I tried something like this:

config redirect
option src wan
option src_dport 22
option dest_ip 192.168.1.200
option dest_port 22
option proto tcp

but I obviously don't understand what I'm doing, since it doesn't work. Can anyone provide an example on what to change in /etc/config/firewall to allow ssh-acces coming in on the WAN port to connect to the (a?) dropbear process running on the router? Since I hope this documentation would be of use to others, I hope this is the right place to post this.

Thanks!
Jurriaan

Post #2

bradyzhu

28 Apr 2009, 03:27

I add follow command in /etc/firewall.user:

iptables -A input_wan -p tcp --dport 22 -m state --state NEW --match limit --limit 1/m --limit-burst 3 -j ACCEPT

Post #3

Jurriaan

28 Apr 2009, 05:41

This post, by Obsy in the thread 'open port 22 from wan', gives another solution:

uci add firewall rule
uci set firewall.@rule[-1]._name=ssh
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=22
uci commit firewall
/etc/init.d/firewall start

which removes all the examples from /etc/config/firewall on running, but leaves this:

config 'rule'
option '_name' 'ssh'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '22'

and works also.

Post #4

wavesailor

17 May 2011, 14:24

Jurriaan wrote:

This post, by Obsy in the thread 'open port 22 from wan', gives another solution:
...
config 'rule'
option '_name' 'ssh'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '22'
...

This works beautifully but I would like to allow only port 2222 to access ssh from wan side but keep allowing 22 from the lan side - How do I do that?

Thanks,

Jim

Post #5

wavesailor

18 May 2011, 01:36

Ok I figured out a solution ... not sure if it is the best way though but it works :-)

You need to set up SSL-protected access with uhttpd and the modify the firewall using the following steps (verified with 10.3)

Firstly install the cert generator and web server TLS plugin:

opkg install px5g uhttpd-mod-tls

Then restart the web server to trigger certificate generation:

/etc/init.d/uhttpd restart

Optionally remove the key generator:

opkg remove px5g

Then edit the firewall config file

vi /etc/config/firewall

Now append the following

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'luci'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '443'

config redirect
        option src    wan
        option src_dport    2222
        option dest    lan
        option dest_ip    192.168.1.1
        option dest_port    22
        option proto    tcp

config rule
        option src    wan
        option proto    tcp
        option dest_ip    192.168.1.1
        option dest_port    22
        option target    ACCEPT

Additionally I allow ssh access from the wan to the router on port 2222
And finally you need to stop and start your firewall to effect the changes:

/etc/init.d/firewall stop
/etc/init.d/firewall start

The discussion might have continued from here.

Page 1 of 1