Bekijk de volledige versie : dropbear from wan
gratitude182
19-01-2007, 20:00
can somebody please tell me how the settings are to connect from wan to dropbear? because i have tried some things, but it doesn't helped. (in lan everything works fine...)
am i wrong when i open the port 22 in the virtual server?
Port Range: 22
Local Ip 192.168.1.1
Local Port: empty
Protocol: TCP
thanks
grat182
What is connected to the other end of your wan cable? A modem/adsl router, or anything else that can handle port forwarding and NAT?
If there is another device, you need to forward the port there (as opposed to opening port 22 on the wl-700ge)
My router's WAN port is directly connected to my ISP. I put port 22 in both port entries. I confirmed the settings manually with the following iptables command. If your setup is like mine, you should see something similar to the following:
[root@WL700gE ~]$ iptables -t nat --list | grep ssh
DNAT tcp -- anywhere your.hostname dpt:ssh to:192.168.1.1:22
[root@WL700gE ~]$ iptables --list | grep ssh
ACCEPT tcp -- anywhere 192.168.1.1 tcp dpt:ssh
- K.C.
gratitude182
20-01-2007, 06:45
thanks for the answers.
the modem (cabel) doesn't have a firewall or block something.
where do i see the iptables? do i have to install something?
i know it's a stupid question but i have only less linux knowledge :-(
i hope that somebody could help :-)
thanks
grat182
gratitude182
20-01-2007, 11:47
or shall i do that aslike is there written:
http://www.sprayfly.com/wiki/SSH_Guide
?
thanks
grat182
dolphine
21-01-2007, 07:01
thanks for the answers.
where do i see the iptables? do i have to install something?
You can open port 22 in Asus WEB-GUI - this is probably the easiest way that will also work after you restard the router.
- or your can open it manually by e.g.
iptables -I INPUT 7 -p tcp --dport 22 -j ACCEPT
For more complex solution please see http://wl700g.info/showthread.php?t=7712&highlight=iptables
dolphine
21-01-2007, 07:03
[root@WL700gE ~]$ iptables --list | grep ssh
ACCEPT tcp -- anywhere 192.168.1.1 tcp dpt:ssh
- K.C.
K.C.,
is there a special reason to have it in nat table in addition to input?
Thanks & Rgds
gratitude182
21-01-2007, 11:59
@ dolphine
is this right how i opened it in the asus web-gui?
advanced --> nat --> virtual server
Port Range: 22
Local Ip 192.168.1.1
Local Port: empty
Protocol: TCP
?
grat182
PS: but this doesn't work... also not after reboot :-(
dolphine
21-01-2007, 18:02
advanced --> nat --> virtual server
Port Range: 22
Local Ip 192.168.1.1
Local Port: empty
Protocol: TCP
I think that local prot should be 22 as well. Port range specifies the range of port on external (WAN) interface that are forwardded to local ip and local port. Therefore both ports shoudl be 22. The external port does not have to be 22.
Does it help?
gratitude182
21-01-2007, 20:50
thanks for your help dolphine.
i have changed the settings without success.
Port Range: 22
Local Ip 192.168.1.1
Local Port: 22
Protocol: TCP
when i connect local with the 192.168.1.1 everything works fine and when i turn of the fw it works also from wan (then it must be the firewall)
in the syslog i get following error:
Jan 21 21:46:38 dropbear[576]: Child connection from 91.*.*.*:2342
Jan 21 21:46:38 dropbear[576]: exit before auth: Failed to get remote version
could anybody help?
grat182
gratitude182
21-01-2007, 22:11
could somebody tell me why i don't have the iptables command? (or what do i wrong)?
[~]$ iptables
bash: iptables: command not found
i'm logged in as root
thanks
grat182
gratitude182
22-01-2007, 07:12
i had got problems with the paths! now it works...
thanks for help
grat182
K.C.,
is there a special reason to have it in nat table in addition to input?
Since the destination IP is non-routable, it has to be nat'd in order to get packets in and response packets back out to the WAN.
- K.C.
gratitude182
23-01-2007, 09:06
[root@WL700gE ~]$ iptables -t nat --list | grep ssh
DNAT tcp -- anywhere your.hostname dpt:ssh to:192.168.1.1:22
[root@WL700gE ~]$ iptables --list | grep ssh
ACCEPT tcp -- anywhere 192.168.1.1 tcp dpt:ssh
- K.C.
kfurge, have you wrote that then into the rc.local?
thanks
grat182
kfurge, have you wrote that then into the rc.local?
thanks
grat182
No. I did everything through the DMZ section of the web interface. The commands I showed were just a succinct way of confirming the tables contained the entries I exected.
No rc.local juggling was necessary for my setup.
- K.C.
velovite
28-01-2007, 14:44
I'am also struggling with ssh access from wan. My box is running Kfurge's firmware (thanks for the excellent job!). I can reach dropbear from the lan side alright, but in order to reach it from wan, I must disable the firewall (which I don't want : the point for using ssh is security, after all!)
Whatever my configuration effort through the Asus Web-GUI, if firewall is enabled, I can't ssh from wan. I have been reading yout posts regarding this problem, and I don't understand how you manage to get it working : I have tried all NAT Settings>Virtual server and Firewall>Wan & Lan filters setting I could imagine, none makes it work when firewall is enabled. And when firewall is disabled, it works right away without any special port tweaking in the GUI. Kfurge mentions using DMZ for setting up ssh from the Web GUI, but maybe he got confused, because I can only set an IP address on the LAN side in this window (no port setting).
I understand that I can set iptables right for being able to ssh from Wan by typing in commands or using a script, but that these changes are not permanent and that further requires periodically resetting using a cron job, which I would prefer to avoid, if possible.
Can anyone clarify how he/she got it to work? Thanks in advance,
Phil
gratitude182
28-01-2007, 15:00
with my box it also didn't worked with the virtual server, wan lan filter...
i have edited the rc.local aslike costinel in this thread wrote.
http://wl700g.info/showthread.php?t=7864&highlight=iptables
edit kfurge's rc.local and add (at the end):
iptables -I INPUT -p tcp --dport INSERT-YOUR-PORT-NUMBER-HERE -j ACCEPT
now it works... i don't know if the settings are also saved when i make some changes with the webui, i haven't tried it yet.
grat182