SSH port forwarding allowed regardless of the setting

[Ferisko]

Hello,

first of all a big thanks to Merlin (and everyone else who contributed) for this great firmware. The main reason for me to use this firmware is the ssh daemon and ssh port forwarding.

Now to the point:
Recently I noticed that it does not matter if I set the option "Allow SSH Port Forwarding" in Administration -> System to "Yes" or "No", the port forwarding still works. I can do local, remote and dynamic port forwards via both LAN and WAN ssh connections no problem even if set to "Allow SSH Port Forwarding: No". Running build 3.0.0.4.266.23b.

I know it's a minor bug for us who actually use ssh port forwarding, but thought it might be good to let the people who disabled it for security or what ever reasons know that the option may be buggy.

 

[RMerlin]

I'll have to review how configuration of forwarded ports work in dropbear. Enabling the option runs it with the "-a" option, which is supposed to allow connection from any host to forwarded ports. Did you see if maybe it allowed you to forward ports, but refused to allow you to connect to them? If not I guess the default (for some odd reason) is to allow forwarded port connections, and I have to explicitly forbid them if the option is disabled.

 

[Ferisko]

Hi,

I usually connect to the forwarded ports only from the machine from which I created the tunnel in the first place (e.g. using dynamic port forward from my work laptop to my router as a socks proxy for my browser) and that works.

Never tried to use the tunnel from other machines in the network (e.g. other machines in the office). I know for local port forwards the -g option enables others to connect to your local tunnel ports:

ssh [email]user@home.org[/email] -L 10000:192.168.1.125:22 -g

(also there is a check box in putty for it)

For remote port forwards to be usable by everyone on the remote machines network the "GatewayPorts yes" must be added in sshd_config on the ssh server machine (for traditional OpenSSH). Maybe the -a option for dropbear does this?

Didn't try to actually use a remote tunnel yet. Can't test it today, because I left everything at home off except for the router, but I should try tomorrow.

//edit: to answer my self, from dropbear change log:

- Added -g (dbclient) and -a (dropbear server) options to allow
  connections to listening forwarded ports from remote machines.

So yeah, looks like the -a option does the "GatewayPorts yes" functionality.

 

[RMerlin]

So yeah, looks like the -a option does the "GatewayPorts yes" functionality.

That option is what currently gets added to dropbear when you enable port forwarding on the webui.

 

[Ferisko]

So I did a bit of testing today and my conclusions are as follows:
- SSH port forwarding is enabled regardless of the setting
- SSH port forwarding works the same way regardless of the setting.
- the -a option which should allow for other computers on the network with the router to connect to the "Remote" forwarded ports seems broken:

vacek@mail:~$ ssh admin@cenzored -R 45555:localhost:25
admin@cenzored's password:


ASUSWRT RT-N66U_3.0.0.4 Mon Dec 31 22:49:01 UTC 2012
admin@RT-N66U:/tmp/home/root# netstat -an | grep 45555
tcp        0      0 127.0.0.1:45555         0.0.0.0:*               LISTEN
admin@RT-N66U:/tmp/home/root# ps | grep drop
  786 admin     1076 S    dropbear -p 22 -a
  839 admin     1140 S    dropbear -p 22 -a
  850 admin     1608 S    grep drop
admin@RT-N66U:/tmp/home/root# exit
Connection to cenzored closed.
vacek@mail:~$ ssh admin@cenzored -R 45555:localhost:25
admin@cenzored's password:


ASUSWRT RT-N66U_3.0.0.4 Mon Dec 31 22:49:01 UTC 2012
admin@RT-N66U:/tmp/home/root# netstat -an | grep 45555
tcp        0      0 127.0.0.1:45555         0.0.0.0:*               LISTEN
admin@RT-N66U:/tmp/home/root# ps | grep drop
  861 admin     1076 S    dropbear -p 22
  875 admin     1140 S    dropbear -p 22
admin@RT-N66U:/tmp/home/root# telnet localhost 45555
220 mail.cenzored ESMTP Postfix
^]

Console escape. Commands are:

 l      go to line mode
 c      go to character mode
 z      suspend telnet
 e      exit telnet
e
admin@RT-N66U:/tmp/home/root#

As you can see the router is listening on port 45555 only on the loopback interface regardless of the dropbear -a setting. So while I can utilize the forwarded port from the router it self, other boxes on the home network cannot.

//edit: checked the dropbear man page and found a possible solution to enabling and disabling ssh port forwarding:
-j switch to disable local port forwarding
-k switch to disable remote port forwarding
none of the two above switches, port forwarding enabled (default), both of the above switches port forwarding disabled

 

[RMerlin]

I also suspected the need to add these two switches when I looked at the man page a few days ago. The current Dropbear implementation in Asuswrt-Merlin was taken from the Tomato version it was originally forked from, probably it received very little testing back then.

I'll look into it for a future version.

 

[p1r473]

I am actually having a problem with this feature too. I know this is a really old thread but the option is bugged out for me on Merlin 380.60 beta 2. Sorry for resurrecting this thread.

After seeing this thread I checked to see what my router was set too. It appeared to be neither checked not unchecked.

After checking it to enable, I am no longer able to SSH into my router (connection refused). I have it set it allow from WAN and LAN. I am at work now, trying from WAN, and can't.

Additionally, I had forwarded port 2222 to my main server on the network to port 22. Connecting to my host to 2222 times out now.

Oddly, somehow I can't VPN into the router either anymore (was running an OpenVPN server on it.)

I'll do more investigation tonight when I get home from work, because I am locked out now through SSHing home.