Forum » Omrežja in internet » SSH forwarding na Mikrotiku
SSH forwarding na Mikrotiku
poweroff ::
Imam težavo z nastavitvijo SSH forwardinga na Mikrotiku (hAP lite). RouterOS je najnovejša verzija.
Kaj bi rad naredil?
Vse SSH povezave, ki pridejo iz nekega IP-ja (VPN gateway), bi rad preusmeril na interni računalnik (RPi) na internem naslovu 192.168.160.253.
Spodaj je celotna konfiguracija, bistveni del je tale:
Zadeva ne deluje. Deluje pa, če naredim preusmeritev dohodne povezave iz 2222 na interno na 22. Oziroma, brez težav deluje tudi tole:
V tem drugem primeru preusmerjam zunanji 5901 na notranji 5901.
Ali je mogoče, da ima Mikrotik kakšno finto, da ne dovoli SSH preusmerjanja?
Tole je pa celoten config (export):
Kaj bi rad naredil?
Vse SSH povezave, ki pridejo iz nekega IP-ja (VPN gateway), bi rad preusmeril na interni računalnik (RPi) na internem naslovu 192.168.160.253.
Spodaj je celotna konfiguracija, bistveni del je tale:
add action=dst-nat chain=dstnat comment="Forward SSH to RPi" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=22
Zadeva ne deluje. Deluje pa, če naredim preusmeritev dohodne povezave iz 2222 na interno na 22. Oziroma, brez težav deluje tudi tole:
add action=dst-nat chain=dstnat comment="Forward VNC to RPi" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=5901
V tem drugem primeru preusmerjam zunanji 5901 na notranji 5901.
Ali je mogoče, da ima Mikrotik kakšno finto, da ne dovoli SSH preusmerjanja?
Tole je pa celoten config (export):
# mar/05/2016 07:54:10 by RouterOS 6.34.2 # software id = TBWA-8FT6 # /interface bridge add admin-mac=CA:FF:EE:BA:BE:01 auto-mac=no name=bridge-local /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=slovenia disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Tralala wireless-protocol=802.11 /interface ethernet set [ find default-name=ether1 ] name=ether1-gateway set [ find default-name=ether2 ] name=ether2-master-local set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local /ip neighbor discovery set ether1-gateway discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=***** wpa2-pre-shared-key=***** /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc /ip pool add name=dhcp ranges=192.168.160.10-192.168.160.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge-local name=default /interface bridge port add bridge=bridge-local interface=ether2-master-local add bridge=bridge-local interface=wlan1 /ip address add address=192.168.160.1/24 comment="Default configuration" interface=ether2-master-local network=192.168.160.0 add address=xxx.xxx.xxx.xxx/24 interface=ether1-gateway network=xxx.xxx.xxx.0 /ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway /ip dhcp-server lease add address=192.168.160.253 client-id=1:b8:27:eb:2c:bc:22 mac-address=B8:27:EB:2C:BC:22 server=default /ip dhcp-server network add address=192.168.160.0/24 comment="Default configuration" gateway=192.168.160.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.160.1 name=router /ip firewall filter add chain=input comment="Allow ALL (DANGEROUS!)" disabled=yes add action=drop chain=input comment="Disallow weird packets" connection-state=invalid add chain=input comment="Allow LAN access to router originated from LAN" connection-state=new in-interface=bridge-local add chain=input comment="Allow connections that originated from LAN" connection-state=established,related add chain=input comment="Allow ICMP" protocol=icmp add chain=input comment="Winbox connection from VPN gateway" dst-port=8291 protocol=tcp src-address=xxx.xxx.xxx.xxx add chain=input comment="Winbox connection from internal network" dst-port=8291 protocol=tcp src-address=192.168.160.0/24 add chain=input comment="SSH to RPi from VPN gateway" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx add chain=input comment="VNC to RPi iz VPN gateway" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx add chain=input comment="Allow established connections" connection-state=established add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=drop chain=input comment="Disallow anything else from anywhere on any interface" add action=drop chain=forward comment="Disallow forwarding of weird packets" connection-state=invalid add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-local add chain=forward comment="Allow forward connections that originated from LAN" connection-state=established,related /ip firewall nat add action=masquerade chain=srcnat comment="IPmasq of internal traffic" src-address=192.168.160.0/24 add action=masquerade chain=srcnat comment="Default configuration" out-interface=ether1-gateway add action=dst-nat chain=dstnat comment="Forward SSH to RPi" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=22 add action=dst-nat chain=dstnat comment="Forward VNC to RPi" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=5901 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes /ip route add distance=1 gateway=xxx.xxx.xxx.1 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes port=22 set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-autodetect=no /system routerboard settings set cpu-frequency=650MHz protected-routerboot=disabled /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=wlan1 add interface=bridge-local
sudo poweroff
OmegaBlue ::
Čisto tako na prvo komaj zbujeno žogo;
Tole načeloma bi bilo v chain forward ne input.
add chain=input comment="SSH to RPi from VPN gateway" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx add chain=input comment="VNC to RPi iz VPN gateway" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx
Tole načeloma bi bilo v chain forward ne input.
Never attribute to malice that which can be adequately explained by stupidity.
poweroff ::
Saj naprej imam tole:
Stvar je v tem, da VNC forwarding dela, SSH pa ne - nastavitve so pa identične.
add action=dst-nat chain=dstnat comment="Forward SSH to RPi" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=22 add action=dst-nat chain=dstnat comment="Forward VNC to RPi" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=5901
Stvar je v tem, da VNC forwarding dela, SSH pa ne - nastavitve so pa identične.
sudo poweroff
matter ::
Pojdi pod system -> service in si spremeni SSH od routerja na drugi port, ALI ga ugasni.
Grem basket pa bom neloke metal
matter ::
Ups nisem pogledal solate od configa sem samo na prvo žogo ustrelil.
add chain=input comment="SSH to RPi from VPN gateway" ne rabiš. Če delaš nat ne rabiš input chaina.
add chain=input comment="SSH to RPi from VPN gateway" ne rabiš. Če delaš nat ne rabiš input chaina.
Grem basket pa bom neloke metal
Zgodovina sprememb…
- spremenil: matter ()
matter ::
Ker mi začuda ne pusti popravit:
add chain=input comment="SSH to RPi from VPN gateway" ne rabiš, če delaš nat. Ampak to nima veze s tvojim problemom.
Če imaš Telemach znajo blokirati porte. Kakšni ISP varnostno blokirajo določene porte.
Jaz bi preveril s packet sniferjem če sploh dobiš kaj na portu 22 za eth1 port.
add chain=input comment="SSH to RPi from VPN gateway" ne rabiš, če delaš nat. Ampak to nima veze s tvojim problemom.
Če imaš Telemach znajo blokirati porte. Kakšni ISP varnostno blokirajo določene porte.
Jaz bi preveril s packet sniferjem če sploh dobiš kaj na portu 22 za eth1 port.
Grem basket pa bom neloke metal
čuhalev ::
poweroff ::
Misliš na Mikrotiku ali na omrežju? Ker če na Mikrotiku vključim SSH, se lahko SSH-jam nanj...
sudo poweroff
čuhalev ::
Mislil sem na omrežju. Skrajno čudno, če ti iz 2222->rpi:22 deluje, 22->rpi:22 ne, mikrotik:22 pa. Lahko zamenjaš mikrotik s čem drugim?
miki133 ::
Morda ti tale vrstica dela probleme:
Recimo meni tale vrstica dela :
LP Miro
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
Recimo meni tale vrstica dela :
add action=dst-nat chain=dstnat comment="SSH na server" dst-port=xxxx in-interface=WAN-1 protocol=tcp src-address=1xxx.xxx.xxx.xxx to-addresses=192.168.0.15 to-ports=22
LP Miro
Zgodovina sprememb…
- spremenil: miki133 ()
Vredno ogleda ...
| Tema | Ogledi | Zadnje sporočilo | |
|---|---|---|---|
| Tema | Ogledi | Zadnje sporočilo | |
| » | Domači VPN (strani: 1 2 3 )Oddelek: Omrežja in internet | 24584 (10432) | Daniel |
| » | Mikrotik RB2011UiAS-2HnD-IN na Amisu, bizarno počasen internet. (strani: 1 2 )Oddelek: Omrežja in internet | 12297 (9577) | Invictus |
| » | MikroTik in default ruleOddelek: Omrežja in internet | 4197 (3434) | nejcsuha |
| » | mikrotik pomocOddelek: Pomoč in nasveti | 5145 (3391) | kronik |
| » | pppoe+mikrotikOddelek: Omrežja in internet | 3519 (3097) | Senitel |