» »

SSH forwarding na Mikrotiku

SSH forwarding na Mikrotiku

Matthai ::

Imam težavo z nastavitvijo SSH forwardinga na Mikrotiku (hAP lite). RouterOS je najnovejša verzija.

Kaj bi rad naredil?

Vse SSH povezave, ki pridejo iz nekega IP-ja (VPN gateway), bi rad preusmeril na interni računalnik (RPi) na internem naslovu 192.168.160.253.

Spodaj je celotna konfiguracija, bistveni del je tale:

add action=dst-nat chain=dstnat comment="Forward SSH to RPi" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=22


Zadeva ne deluje. Deluje pa, če naredim preusmeritev dohodne povezave iz 2222 na interno na 22. Oziroma, brez težav deluje tudi tole:

add action=dst-nat chain=dstnat comment="Forward VNC to RPi" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=5901


V tem drugem primeru preusmerjam zunanji 5901 na notranji 5901.

Ali je mogoče, da ima Mikrotik kakšno finto, da ne dovoli SSH preusmerjanja?

Tole je pa celoten config (export):

# mar/05/2016 07:54:10 by RouterOS 6.34.2
# software id = TBWA-8FT6
#
/interface bridge
add admin-mac=CA:FF:EE:BA:BE:01 auto-mac=no name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=slovenia disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Tralala wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=***** wpa2-pre-shared-key=*****
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.160.10-192.168.160.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.160.1/24 comment="Default configuration" interface=ether2-master-local network=192.168.160.0
add address=xxx.xxx.xxx.xxx/24 interface=ether1-gateway network=xxx.xxx.xxx.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.160.253 client-id=1:b8:27:eb:2c:bc:22 mac-address=B8:27:EB:2C:BC:22 server=default
/ip dhcp-server network
add address=192.168.160.0/24 comment="Default configuration" gateway=192.168.160.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.160.1 name=router
/ip firewall filter
add chain=input comment="Allow ALL (DANGEROUS!)" disabled=yes
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid
add chain=input comment="Allow LAN access to router originated from LAN" connection-state=new in-interface=bridge-local
add chain=input comment="Allow connections that originated from LAN" connection-state=established,related
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input comment="Winbox connection from VPN gateway" dst-port=8291 protocol=tcp src-address=xxx.xxx.xxx.xxx
add chain=input comment="Winbox connection from internal network" dst-port=8291 protocol=tcp src-address=192.168.160.0/24
add chain=input comment="SSH to RPi from VPN gateway" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx
add chain=input comment="VNC to RPi iz VPN gateway" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx
add chain=input comment="Allow established connections" connection-state=established
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="Disallow anything else from anywhere on any interface"
add action=drop chain=forward comment="Disallow forwarding of weird packets" connection-state=invalid
add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-local
add chain=forward comment="Allow forward connections that originated from LAN" connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="IPmasq of internal traffic" src-address=192.168.160.0/24
add action=masquerade chain=srcnat comment="Default configuration" out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="Forward SSH to RPi" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=22
add action=dst-nat chain=dstnat comment="Forward VNC to RPi" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=5901
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add distance=1 gateway=xxx.xxx.xxx.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=22
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=wlan1
add interface=bridge-local
Kind of an asshole at first sight, but actually a nice guy
when you get to know me personally. :)

OmegaBlue ::

Čisto tako na prvo komaj zbujeno žogo;

add chain=input comment="SSH to RPi from VPN gateway" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx
add chain=input comment="VNC to RPi iz VPN gateway" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx


Tole načeloma bi bilo v chain forward ne input.
Never attribute to malice that which can be adequately explained by stupidity.

Matthai ::

Saj naprej imam tole:

add action=dst-nat chain=dstnat comment="Forward SSH to RPi" dst-port=22 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=22
add action=dst-nat chain=dstnat comment="Forward VNC to RPi" dst-port=5901 protocol=tcp src-address=xxx.xxx.xxx.xxx to-addresses=192.168.160.253 to-ports=5901


Stvar je v tem, da VNC forwarding dela, SSH pa ne - nastavitve so pa identične.
Kind of an asshole at first sight, but actually a nice guy
when you get to know me personally. :)

matter ::

Pojdi pod system -> service in si spremeni SSH od routerja na drugi port, ALI ga ugasni.
Grem basket pa bom neloke metal

Matthai ::

Si sploh pogledal config???
set ssh disabled=yes port=22


Je ŽE ugasnjen.
Kind of an asshole at first sight, but actually a nice guy
when you get to know me personally. :)

matter ::

Ups nisem pogledal solate od configa sem samo na prvo žogo ustrelil.

add chain=input comment="SSH to RPi from VPN gateway" ne rabiš. Če delaš nat ne rabiš input chaina.
Grem basket pa bom neloke metal

Zgodovina sprememb…

  • spremenil: matter ()

matter ::

Ker mi začuda ne pusti popravit:

add chain=input comment="SSH to RPi from VPN gateway" ne rabiš, če delaš nat. Ampak to nima veze s tvojim problemom.

Če imaš Telemach znajo blokirati porte. Kakšni ISP varnostno blokirajo določene porte.
Jaz bi preveril s packet sniferjem če sploh dobiš kaj na portu 22 za eth1 port.
Grem basket pa bom neloke metal

čuhalev ::

Matthai je izjavil:

Zadeva ne deluje. Deluje pa, če naredim preusmeritev dohodne povezave iz 2222 na interno na 22.

Tu si si odgovoril. Nekje na poti do tebe je ACL, ki onemogoči TCP 22.

Matthai ::

Misliš na Mikrotiku ali na omrežju? Ker če na Mikrotiku vključim SSH, se lahko SSH-jam nanj...
Kind of an asshole at first sight, but actually a nice guy
when you get to know me personally. :)

čuhalev ::

Mislil sem na omrežju. Skrajno čudno, če ti iz 2222->rpi:22 deluje, 22->rpi:22 ne, mikrotik:22 pa. Lahko zamenjaš mikrotik s čem drugim?

miki133 ::

Morda ti tale vrstica dela probleme:
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist

Recimo meni tale vrstica dela :
add action=dst-nat chain=dstnat comment="SSH na server" dst-port=xxxx in-interface=WAN-1 protocol=tcp src-address=1xxx.xxx.xxx.xxx to-addresses=192.168.0.15 to-ports=22


LP Miro

Zgodovina sprememb…

  • spremenil: miki133 ()


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

Domači VPN (strani: 1 2 3 )

Oddelek: Omrežja in internet
12716147 (1995) Daniel
»

Mikrotik RB2011UiAS-2HnD-IN na Amisu, bizarno počasen internet. (strani: 1 2 )

Oddelek: Omrežja in internet
909663 (6943) Invictus
»

MikroTik in default rule

Oddelek: Omrežja in internet
173417 (2654) nejcsuha
»

mikrotik pomoc

Oddelek: Pomoč in nasveti
374389 (2635) kronik
»

pppoe+mikrotik

Oddelek: Omrežja in internet
172963 (2541) Senitel

Več podobnih tem