On 09/19/2016 08:55 PM, Jonathan Bennett wrote:
> It may be that the ssh daemon is bound to the internal ip 
> address/device.  This would cause the ssh connections to be rejected 
> even though the firewall is not blocking them.

Yes, maybe you're right... I'm not sure, what is going on... But to 
begin with, I thought the only way, in which SSH did not work - was due 
to iptables disallowing SSH from the WAN-side. But to see if I could/can 
understand what goes on, I made "iptables-save > LAN_only.txt" followed 
by going into the web-interface of the router. In here ("Administration" 
 > "System" > "Enable SSH: Lan only", I changed this setting to "Enable 
SSH: LAN+WAN", followed by "apply" and "iptables-save > LAN+WAN.txt". 
Then I made a "diff"-comparison and below I've tried to manually "clean 
up" the not so interesting entries (where there is no difference):

rt54g@router:/tmp# diff LAN_only.txt LAN+WAN.txt
--- LAN_only.txt
+++ LAN+WAN.txt

+:SSHBFP - [0:0]
+-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHBFP
+-A SSHBFP -m recent --set --name SSH --rsource
+-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH 
--rsource -j DROP

I'm definately not an iptables-expert. But what I think I see here, is 
that when I go from SSH-access, from only LAN to LAN+WAN, then the 
"only" difference is that the router adds something extra to the 
IPTABLES-rules. In this case, something extra is added to the 
"filter"-table, more specifically, the INPUT-chain. My understanding is 
that "SSHBFP" is a new "target", so when something (a tcp-packet) tries 
to connect to port 22 from eth0 (the WAN-side of the router = the 
internet-side) and it is new, the first rule says: Jump to target 
"SSHBFP". Then there are 3 new commands - I don't know what they do. And 
finally that packet is ACCEPTED.

Without changing these rules in the web-interface, I tried to login to 
the Asus-router and using SSH (from LAN-side) I wanted to type in 
something like:

# iptables -N SSHBFP
# iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state 
iptables: Protocol wrong type for socket.
# iptables -A SSHBFP -m recent --set --name SSH --rsource
# iptables -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name 
SSH --rsource -j DROP
# iptables -A SSHBFP -j ACCEPT

So, I'm not completely sure what is going on... I don't understand the 
"Protocol wrong type for socket". These commands don't work. If they 
did, I think it should be possible to make the fwknopd-server let me 
in... Anyway, if it isn't possible for me to login directly to the 
router using fwknopd, would it be possible for me to maybe first send 
the SPA-packet and then SSH into one of the machines on the LAN (from 
the internet/WAN-side), e.g. ? How would I setup this ?

Thanks for any ideas/help!


Fwknop-discuss mailing list

Reply via email to