Port Forwarding SSH on 22 using DNS-O-MATIC

raj_i.t

October 31, 2013 05:03

I'm experimenting with ssh and port forwarding the default 22 to non-default ports and have had no success in using dd-wrt to port forward even the default 22 using a dynamic dns ip using no-ip and dnsomatic services. posting some details below and any help is appreciated.

Open SSH (Port 22) on IP: 192.168.11.13

Code:

tom23@max7:~$ sudo nmap -sT -sU -p 22 192.168.11.13

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-26 09:55 EDT
Nmap scan report for max7 (192.168.11.13)
Host is up (0.000084s latency).
PORT STATE SERVICE
22/tcp open ssh
22/udp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

DDNS enabled on DD-WRT router on WAN IP: 192.168.1.66 (LAN IP: 192.168.1.11)
NOTE: no-ip address below is fictitious

Code:

root@DD_WRT:/tmp/ddns# cat ddns.log
Sat Oct 26 08:54:01 2013: INADYN: Started 'INADYN Advanced version 1.96-ADV' - dynamic DNS updater.
Sat Oct 26 08:54:01 2013: INADYN: IP read from cache file is '192.168.1.66'. No update required.
Sat Oct 26 08:54:01 2013: I:INADYN: IP address for alias 'techie2.no-ip.net' needs update to '192.168.1.66'
Sat Oct 26 08:54:01 2013: I:INADYN: Alias 'techie2.no-ip.net' to IP '192.168.1.66' updated successfully.

WAN IP: 192.168.1.66 is behind a router/adsl on IP: 192.168.1.64 with port forwarding enabled

Code:

# iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 50804 packets, 3254K bytes)
pkts bytes target prot opt in out source destination
15 915 DNAT udp -- group1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 dnshj to:192.168.1.64
120K 7891K PRE_CNAPT all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K PT_NAT all -- * * 0.0.0.0/0 0.0.0.0/0
28868 1951K DNS_RELAY udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
120K 7891K INBOUND_NAT all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K PRE_VPN all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K REMOTE_NAT all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K LOCAL_SERVICE_NAT all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K USB_NAT all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K INBOUND_NAT all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K IM_DETECT_NAT all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K MINIUPNPD_W all -- * * 0.0.0.0/0 0.0.0.0/0
120K 7891K DMZ_NAT all -- * * 0.0.0.0/0 0.0.0.0/0
31064 2352K CUDP_NAT udp -- * * 0.0.0.0/0 0.0.0.0/0
120K 7890K PRE_IGMP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.1.66:22

Code:

# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
177K 11M TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4274K 374M HTTP_DETECT all -- * * 0.0.0.0/0 0.0.0.0/0
4274K 374M OUTBOUND_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
4274K 374M FWD_SPI all -- * * 0.0.0.0/0 0.0.0.0/0
4269K 374M FWD_VPN all -- * * 0.0.0.0/0 0.0.0.0/0
4269K 374M FWD_IGMP all -- * * 0.0.0.0/0 0.0.0.0/0
4269K 374M NAT_LIMIT all -- * * 0.0.0.0/0 0.0.0.0/0
4269K 374M PT_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
4269K 374M ACCEPT_RULES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOS_DETECT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INBOUND_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DMZ_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FIREWALL_DISABLE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.66 tcp dpt:22 state NEW,RELATED,ESTABLISHED

WAN IP: 192.168.1.66 (LAN IP: 192.168.11.1) port forwarding to SSH server on IP: 192.168.11.13

Code:

root@DD_WRT:~# iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 4701 packets, 380K bytes)
pkts bytes target prot opt in out source destination
6 360 DNAT tcp -- * * 0.0.0.0/0 192.168.1.66 tcp dpt:23 to:192.168.11.1:23
0 0 DNAT icmp -- * * 0.0.0.0/0 192.168.1.66 to:192.168.11.1
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.66 tcp dpt:22 to:192.168.11.13:22
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.66 udp dpt:22 to:192.168.11.13:22
495 49215 TRIGGER 0 -- * * 0.0.0.0/0 192.168.1.66 TRIGGER type:dnat match:0 relate:0

Code:

root@DD_WRT:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 47 -- * eth1 192.168.11.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * eth1 192.168.11.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
5542 330K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
3363K 3702M lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
3360K 3702M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.11.13 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.11.13 udp dpt:22
0 0 TRIGGER 0 -- eth1 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
3234 233K trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
3039 225K ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
195 8280 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0

Comments

5 comments

rotblitz October 31, 2013 18:42

"INADYN: Alias 'techie2.no-ip.net' to IP '192.168.1.66' updated successfully."

Clearly, this 192.168.1.66 is in the private (RFC-1918) IP address range, not routable over the public internet, but for internal LAN use only. Your (currently not existing) hostname techie2.no-ip.net must point to your public IP address.

That said, you must configure your Inadyn update client in DD-WRT to obtain the IP address information from somewhere else, e.g. from http://myip.dnsomatic.com/

Inadyn option: --ip_server_name myip.dnsomatic.com:80/ as start parameter or in inadyn.conf.

Alternatively, configure the DDNS update client on your ISP (internet) facing device (modem) which holds your public IP address, or use a software update client for DNS-O-Matic, e.g. http://updater.marc-hoersken.de/

0

Comment actions Permalink
raj_i.t October 31, 2013 21:17

Thanks rotblitz! I got the first part to work

[CODE]

root@DD_WRT:/tmp/ddns# cat ddns.log
Thu Oct 31 15:39:45 2013: INADYN: Started 'INADYN Advanced version 1.96-ADV' - dynamic DNS updater.
Thu Oct 31 15:39:45 2013: INADYN: IP read from cache file is '192.168.1.66'. No update required.
Thu Oct 31 15:39:45 2013: I:INADYN: IP address for alias 'techie2.no-ip.net' needs update to '103.x.x.57'
Thu Oct 31 15:39:45 2013: I:INADYN: Alias 'techie2.no-ip.net' to IP '103.x.x.57' updated successfully.

[/CODE]

The problem with configuring ddns on the modem/router is that it does not have an option to use dns-o-matic or anything but only dyndns.org. I could not find a config file in the firmware where i can update it to use opendns.

Are there any alternatives to use a software update client? the link for http://updater.marc-hoersken.de/ does not open up..

0

Comment actions Permalink
rotblitz November 01, 2013 11:28

" I got the first part to work"

I thought it was the whole thing. What is still open? Well, the hostname techie2.no-ip.net still does not exist in DNS.

"The problem with configuring ddns on the modem/router... Are there any alternatives to use a software update client?"

No need for any of those, you got it working with DD-WRT's Inadyn.

"the link for http://updater.marc-hoersken.de/ does not open up.."

Yes, the site seems to be temporarily down.

0

Comment actions Permalink
raj_i.t November 04, 2013 12:32

i'm using 'techie2.no-ip.net' as a fake hostname to describe my issue. my real host name is being updated with the correct public IP assigned by my ISP. I see this correct assignment both in the ddns.log (frequent updates) on my DD-WRT and when i do an nslookup on my hostname from over the internet. that being said.. i still get a time-out with no explanation when i do an 'ssh -l tom23 techie2.no-ip.net -p 22' so something is still not right.

my suspicion is that something still needs to be opened/configured on my non DD-WRT router/adsl on 192.168.1.64 (WAN IP: 192.168.1.66 is behind a router/adsl on IP: 192.168.1.64 with port forwarding enabled)

When I check the below on 192.168.164, i do not see ssh open on port 22

[CODE]

# iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 8003 packets, 502K bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp -- group1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 dnshj to:192.168.1.64
8468 634K PRE_CNAPT all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K PT_NAT     all -- *      *       0.0.0.0/0            0.0.0.0/0
1540 101K DNS_RELAY udp -- *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
8467 634K INBOUND_NAT all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K PRE_VPN    all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K REMOTE_NAT all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K LOCAL_SERVICE_NAT all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K USB_NAT    all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K INBOUND_NAT all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K IM_DETECT_NAT all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K MINIUPNPD_W all -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K DMZ_NAT    all -- *      *       0.0.0.0/0            0.0.0.0/0
2066 239K CUDP_NAT   udp -- *      *       0.0.0.0/0            0.0.0.0/0
8467 634K PRE_IGMP   all -- *      *       0.0.0.0/0            0.0.0.0/0

[/CODE]

[CODE]

tom23@max7:~$ sudo nmap -sT -sU -p 22 192.168.1.64
[sudo] password for max7:

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-04 07:25 EST
Nmap scan report for 192.168.1.64
Host is up (0.00080s latency).
PORT   STATE SERVICE
22/tcp closed ssh
22/udp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

[/CODE]

i ran the below commands on 192.168.1.64 but they do not save after a reboot. how can i save them on my non DD-WRT adsl/router?

[CODE]

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 22 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 22 -j DNAT --to 192.168.1.64:22

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

[/CODE]

0

Comment actions Permalink
rotblitz November 04, 2013 14:21

"i'm using 'techie2.no-ip.net' as a fake hostname to describe my issue."

Not a clever idea if not explicitly mentioning it.... Fakes are always bad.

"my real host name is being updated with the correct public IP assigned by my ISP. I see this correct assignment both in the ddns.log (frequent updates) on my DD-WRT and when i do an nslookup on my hostname from over the internet."

Fine, then your DNS related and DNS-O-Matic related issues are solved. The rest is unrelated to the topics of this forum.

"i still get a time-out with no explanation when i do an 'ssh -l tom23 techie2.no-ip.net -p 22' so something is still not right.

my suspicion is that something still needs to be opened/configured on my non DD-WRT router/adsl on 192.168.1.64 (WAN IP: 192.168.1.66 is behind a router/adsl on IP: 192.168.1.64 with port forwarding enabled)"

Yes, it seems to be a port forwarding problem, or port 22 is blocked inbound by your ISP. If the latter, you must use another port.

If it is the port forwarding, and you have two routers (NAT devices) where the outer one doesn't work in bridged mode, then you must forward port 22 from the outer router to the WAN facing IP address of the inner router, and on the inner router to the internal IP address of your SSH service. Alternatively switch the outer router to bridged mode, so that the inner router gets your public IP address.

0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?