SSHdaemon - WAN-access - using iptables - doesn't work, why not?

[Martin - SNBuser]

Hi all,

Why doesn't this give me access to SSH from the public IP (WAN-side of the Asus router) ? I have enabled SSH on the LAN-side of the router (Administration / System / SSH Daemon / "Enable SSH" = "LAN only", hence I'm assuming an SSHD-server is running, also because I can SSH to the router from 192.168.1.XXX)?

# iptables -F
# iptables -X
# iptables -P FORWARD ACCEPT

# iptables -L -v
Chain INPUT (policy ACCEPT 12 packets, 2992 bytes)
pkts bytes target     prot opt in     out     source               destination       

Chain FORWARD (policy ACCEPT 12 packets, 2292 bytes)
pkts bytes target     prot opt in     out     source               destination       

Chain OUTPUT (policy ACCEPT 8 packets, 2896 bytes)
pkts bytes target     prot opt in     out     source               destination

Everything should be ACCEPT'ed as far as I can see... Also, I don't see any SSHD process running:

# ps | grep -i ssh
9082 wrt54g    1380 S    grep -i ssh

I would like to understand this, so I can setup my fwknop-rules (this is like port-knocking, so I can dynamically turn on access to port 22 whenever I need it and so it's seen as "filtered" 99% of the time, where I don't need SSHD on the router)... Or do I need to maybe install an extra SSHD-server, e.g:

# opkg list | grep -i ssh | grep -i serve
dropbear - 2016.73-1 - A small SSH2 server/client designed for small memory environments.
openssh-server - 7.3p1-1 - OpenSSH server.

? Please advice!

 

[RMerlin]

The sshd daemon is called dropbear, not ssh.

Setting it to LAN only won't bind it to the WAN interface. You need to set it to LAN+WAN for the daemon to listen to both the LAN and the WAN interfaces.

 

[Martin - SNBuser]

The sshd daemon is called dropbear, not ssh.

Setting it to LAN only won't bind it to the WAN interface. You need to set it to LAN+WAN for the daemon to listen to both the LAN and the WAN interfaces.

Thanks! But I don't want LAN+WAN because that makes port 22 open and exposed to the internet, the whole time - open for attackers from Asia, Russia and wherever they are on the globe...

I wish to make dropbear/sshd work with "fwknop", e.g. this daemon keeps port 22 open for e.g. 30 seconds after receiving an SPA-packet. So 95%-99% of the time, port 22 is "filtered". And then I send an SPA packet, when I need to login. Within these 30 seconds (or whatever timeframe) I need to SSH from the WAN-side before fwknopd automatically closes the port again, on the WAN-side... Questions:

1) Is it impossible to get access to dropbear from the WAN-side, without turning on "LAN+WAN" in the GUI (normally I really really do not wish to expose any open ports/services on the internet, making my router vulnerable to attackers/hackers, so I'm seeking a way to access dropbear from eth0-interface - I prefer all my ports "filtered" or DROP'ed from the internet but LAN+WAN would make me visible)...

2) Is it really impossible to make a rule in IPTABLES (maybe either something iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j MySSHrule or maybe something filter/INPUT or maybe ebtables: INPUT or BROUTING) so dropbear thinks a connection from eth0 is really from - maybe br0 ? Isn't that a PREROUTING-rule or something?

I'll post my steps to the forum, if I make it work (for future reference) - if anyone wants a similar solution with fwknop...

 

[RMerlin]

Turn it on for LAN + WAN, then simply delete the rule that opens port 22 in the INPUT chain, and replace it by your desired rules than handle port knocking through a firewall-start script.

 

[Martin - SNBuser]

Turn it on for LAN + WAN, then simply delete the rule that opens port 22 in the INPUT chain, and replace it by your desired rules than handle port knocking through a firewall-start script.

Oh, it sounds so simple - stupid of me not to think about it like that... I'm currently not near my router, but tonight I'll test it and I think this sounds so simple that I really suspect it to work without any problems...

In case anyone else wants a similar solution, I think I might as well just throw a reference to how how I've setup the fwknopd config files: https://sourceforge.net/p/fwknop/mailman/fwknop-discuss/?viewmonth=201609

I believe (am 95% sure) everything with SSH and fwknopd will work very soon, now, as I don't see why your suggestion should not work... Thank you very much, RMerlin...