OpenWrt Forum Archive

Topic: HOWTO open SSH port for WAN

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

[size=18]HOWTO open SSH port for WAN[/size]

This has been tested on a RouterStation Pro running Backfire rc3

Enter router CLI (Command Line Interface) throught either serial or ethernet. Its assumed if using ethernet you will need to connect using LAN port of your router.

[size=18]Method 1[/size]

To list current rules

cat /etc/config/firewall

We need to add this rule

#Allow SSH
config rule
        option src              wan
        option proto            tcp
        option dest_port        ssh
        option target           ACCEPT
vi /etc/config/firewall

press "a" to append

make changes

press "Esc" ":" "w" "q" to save and exit

UCI CLI commands for adding the config section:

uci add firewall rule
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=22
uci commit firewall
/etc/init.d/firewall restart

[size=18]Method 2[/size]

You also need to open up the firewall to allow incoming connections on port 22 (the ssh port), which can be done using a small init.d script like this:

root@caramel:~# cat>/etc/init.d/open-wan-ssh-port
#!/bin/sh /etc/rc.common
# Written by Simon Josefsson 2009-03-05.  Released into the public domain.

START=90
start() {
        iptables --append input_wan --protocol tcp --dport 22 --jump ACCEPT
}
^D
root@caramel:~# chmod +x /etc/init.d/open-wan-ssh-port
root@caramel:~# /etc/init.d/open-wan-ssh-port enable

(Last edited by ispyisail on 9 May 2010, 06:55)

1) Method 1 is recommended. If you really like to use plain iptables commands use /etc/firewall.user.

2) For Method 1 you should also show us the UCI CLI commands for adding the config section:

uci add firewall rule
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=22
uci commit firewall
/etc/init.d/firewall restart

OK

I just rebooted the router and it worked

I had to $ vi /etc/config/dropbear, and set (option 'Interface' 'Wifi'), where Wifi is the name of my wl0 interface.

remote  SSH port for WAN

# ssh root@x.x.x.x
ssh_exchange_identification: read: Connection reset by peer

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
input_rule  all  --  anywhere             anywhere
input      all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forward    all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere
output     all  --  anywhere             anywhere

Chain MINIUPNPD (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere                   udp dpt:44182
ACCEPT     tcp  --  anywhere                    tcp dpt:44182

Chain forward (1 references)
target     prot opt source               destination
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere

Chain forwarding_lan (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination
nat_reflection_fwd  all  --  anywhere             anywhere

Chain forwarding_wan (1 references)
target     prot opt source               destination

Chain input (1 references)
target     prot opt source               destination
zone_lan   all  --  anywhere             anywhere
zone_wan   all  --  anywhere             anywhere

Chain input_lan (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain nat_reflection_fwd (1 references)
target     prot opt source               destination

Chain output (1 references)
target     prot opt source               destination
zone_lan_ACCEPT  all  --  anywhere             anywhere
zone_wan_ACCEPT  all  --  anywhere             anywhere

Chain output_rule (1 references)
target     prot opt source               destination

Chain reject (5 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere

Chain zone_lan (1 references)
target     prot opt source               destination
input_lan  all  --  anywhere             anywhere
zone_lan_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain zone_lan_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain zone_lan_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain zone_lan_forward (1 references)
target     prot opt source               destination
zone_wan_ACCEPT  all  --  anywhere             anywhere
forwarding_lan  all  --  anywhere             anywhere
zone_lan_REJECT  all  --  anywhere             anywhere

Chain zone_wan (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootpc
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
input_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere

Chain zone_wan_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain zone_wan_DROP (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `DROP(wan):'
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain zone_wan_REJECT (2 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 10/min burst 5 LOG level warning prefix `REJECT(wan):'
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain zone_wan_forward (1 references)
target     prot opt source               destination
MINIUPNPD  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere                tcp dpt:3389
forwarding_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere


WHY?

To me, this works...

My system:
Model: TP-Link TL-WDR4300 v1
Firmware Version: OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)
Kernel Version: 3.10.49
####################
On LuCI GUI:
Network > Firewall > Traffic Rules > New forward rule
Name: SSH
Restrict to address family: IPv4 and IPv6
Protocol: TCP
Match ICMP type: Any
Source zone: wan
Source MAC address: Any
Source address: Any
Source Port: Any
Destination zone: Device (input)
Destination address: Any
Destination Port: 22
Action: Accept
SAVE AND APPLY
-------------------------------------------------------------------------------
System > Administration > Dropbear Instance > Add Button
Interface: wan
Port: 22
Password authentication, Allow root logins with password and Gateway ports CHECKED
-------------------------------------------------------------------------------
Status Firewall > Restart Firewall
System Startup > Restart Button on dropbear

Done! It's work!

The discussion might have continued from here.