[HowTo] ssh to wl-500g under corporate proxy
Just would to share my expirience how to get connected to wl-500g if you are sitting behind
corporate proxy/firewall which disallowed either direct internet nor
"corp.proxy"->"wl-500g: port 22" connections.
The main steps are:
1. Start ssh daemon on yours wl-500g.
2. Create post-firewall script if one doesn't exist.
3. Change (add) iptables rules to redirect all incoming on port 443 traffic to port 22.
4. Configure your ssh client (I've tested with putty and WinSCP3) with your current proxy authetication settings and instruct to use port 443 instead of port 22.
Remark:
It works for me on wl-500g Deluxe router with Oleg's 1.9.2.7-4 firmware (as usual many thanks to Oleg :)).
Now a little bit more details:
Step 1: This is very good described by Oleg - how to get dropbear daemon running. Look here: http://wl500g.dyndns.org/ in section "Ssh and telnet daemons"
Step 2: For creating an empty post-firewall script please follow the procedure described by Oleg in the same document. But don't forget to put as first string following: Step 3: As I'm not really professional in network administration things, so I've learn those from alpha5's topic http://wl500g.info/showpost.php?p=8990&postcount=2 (thanks to alpha5 :))
Please add following strings to your's post-firewall script:
Code:
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.1:22
iptables -A INPUT -j DROP
Save it and also don't forget to commit changes to flashfs as following (or in different way as you like):
Code:
flashfs save && flashfs commit && flashfs enable
Reboot yours wl-500g.
Step 4: Depending on yours ssh client set apropriated proxy settings (usual HTTP proxy) like address, port number, username and password. And most important thing: Instruct this client programm use port 443 instead of port 22.
Enjoy.
connection refused throught port 443
Hi all,
After I upgraded to version 1.9.2.7-7e, I've followed this how to. Now I'm able to connect to my router from the outside trought port 22 but not from the 443 as desired. The connection is refused. I don't know if I've something wrong in my configuration. My router's internal ip is 192.168.1.21. I don't understand very well the iptables...just starting. Just check out my configuration please:
[cocas@router root]$ cd /usr/local/sbin/
[cocas@router sbin]$ ls
post-boot post-firewall
[cocas@router sbin]$ ls -l
-rwxr-xr-x 1 cocas root 19 Jul 13 13:33 post-boot
-rwxr-xr-x 1 cocas root 230 Jul 13 13:45 post-firewall
[cocas@router sbin]$ cat post-boot
#!/bin/sh
dropbear
[cocas@router sbin]$ cat post-firewall
#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp -d 192.168.1.21 --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.21:22
iptables -A INPUT -j DROP
Now the status of the table filter and table nat:
[cocas@router etc]$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere bl8-162-17.dsl.telepac.pt
NETMAP udp -- anywhere bl8-162-17.dsl.telepac.ptudp spt:6112 192.168.1.0/24
DNAT tcp -- anywhere anywhere tcp dpt:https to:192.168.1.21:22
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
NETMAP udp -- 192.168.1.0/24 anywhere udp dpt:6112 85.241.162.17/32
MASQUERADE all -- !bl8-162-17.dsl.telepac.pt anywhere
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain VSERVER (1 references)
target prot opt source destination
[cocas@router etc]$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere router tcp dpt:ssh
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1453:65535TCPMSS set 1452
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
SECURITY all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere ctstate DNAT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain MACS (0 references)
target prot opt source destination
Chain SECURITY (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp -- anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp -- anywhere anywhere limit: avg 5/sec burst 5
DROP all -- anywhere anywhere
Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere
congratulations for the FW... very nice.
Regards