SSH to host via public IP address, client isolation

sukefixewe · March 7, 2019, 7:40pm

I am trying to SSH from anywhere to 192.168.1.10:1234. All clients are isolated in wireless and I want to be able to do this from anywhere, so I have set up port forwarding like so:

Match: IPv4-tcp
From any host in wan
Via any router IP at port 1234

To 192.168.1.10:1234 in lan.

SSH is working in the host; I can connect via localhost and netstat shows it listening. In addition, iptables has been set up to allow incoming connections to 1234 and outgoing to all.
From my terminal, ssh to the public IP address via port 1234 times out.
What could be wrong?

lleachii · March 7, 2019, 8:14pm

Are you doing this test from the Internet or locally?

sukefixewe · March 7, 2019, 8:32pm

From the Internet and locally; neither works.

vgaetera · March 7, 2019, 8:44pm

Perform tests from the internet and verify that you can detect those requests via tcpdump or iptables counters on the router.

Per · March 7, 2019, 8:54pm

What do you mean by public IP? Can you ssh to 192.168.1.10:1234 using a different computer or the router? If by public you mean the public IP address of the router then you would need to use port 38271.

sukefixewe · March 7, 2019, 9:00pm

In fact iptables -c | grep 1234 shows all counters are zero...

-A zone_wan_forward -d 192.168.1.10/32 -p tcp -m tcp --dport 1234 -m comment --comment "!fw3: forw" -c 0 0 -j zone_lan_dest_ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1234 -m comment --comment "!fw3: forw" -c 0 0 -j ACCEPT

sukefixewe · March 7, 2019, 9:01pm

Sorry. I meant to make it easier by using 1234 and forgot to change it only there. Anyways, I can SSH from my router. I want to SSH to publicip:1234. I can't SSH to 192.168... as clients are isolated (but the router can and does properly).

sukefixewe · March 7, 2019, 9:11pm

I could SSH from outside to the router, then from the router to the host, but:

I would like not to expose my router's SSH (even with a different user)
Go directly to the host

dit_dah_dit · March 7, 2019, 10:25pm

If all you are interested in is forwarding incoming SSH connections to your host, then you could set up a DNAT rule in your firewall to do port forwarding:

config redirect
        option name      Forward-SSH-to-Host
        option src       wan
        option dest      lan
        option proto     tcp
        option src_dport 1234
        option dest_ip   192.168.1.10
        option target    DNAT

sukefixewe · March 7, 2019, 10:31pm

I've added that to /etc/config/firewall and reloaded it with service firewall reload.
It doesn't fix the problem though. I can see it in luci too.
The one I had added is:

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'wan'      
        option name 'forw'       
        option family 'ipv4'
        option proto 'tcp'
        option dest 'lan'
        option dest_ip '192.168.1.10'
        option dest_port '1234'

I'm using ssh user@publicip -p 1234. Unfortunately still doesn't work

dit_dah_dit · March 7, 2019, 10:37pm

You may want to try using service firewall restart instead of service firewall reload.

sukefixewe · March 7, 2019, 10:38pm

Nothing has changed. The output of iptables -vS | grep 1234 is still with counters with a value of zero.

sukefixewe · March 7, 2019, 10:49pm

I have also cleared out my rule and your rule in luci and applied yours only, still no change

sukefixewe · March 7, 2019, 10:51pm

If anybody is wondering, SSH is set up so to listen on any interface and accept connection from any IP address on that port

mk24 · March 7, 2019, 10:55pm

I think you also need src_dport 1234 in your config, so it knows which port to accept on the WAN side.

sukefixewe · March 7, 2019, 10:59pm

Such as

config rule            
        option enabled '1'
        option target 'ACCEPT'        
        option src 'wan'       
        option name 'forw'
        option src_port '1234'
        option dest 'lan'
        option dest_ip '192.168.1.10'
        option dest_port '1234'

This does not work either...

mk24 · March 7, 2019, 11:01pm

No, src_dport. Meaning the destination port on the source side. Also you still need all the other stuff in the first config you posted.

src_port seldom useful, since when a user initiates an outgoing connection, by default it chooses a random port as the source.

sukefixewe · March 7, 2019, 11:04pm

config rule                  
        option enabled '1'    
        option target 'ACCEPT'
        option src 'wan'  
        option name 'forw'            
        option family 'ipv4'   
        option proto 'tcp'
        option dest 'lan'
        option dest_ip '192.168.1.10'
        option dest_port '1234'
        option src_dport '1234'

gives

-A zone_wan_forward -d 192.168.1.10/32 -p tcp -m tcp --dport 1234 -m comment --comment "!fw3: forw" -c 0 0 -j zone_lan_dest_ACCEPT

I can't connect unfortunately

sukefixewe · March 7, 2019, 11:15pm

Are there logs anywhere for this issue?

sukefixewe · March 7, 2019, 11:39pm

Logging dropped/rejected packets as explained here doesn't show me anything (am I reading the wrong log file? I use logread)