Hey everyone.  I have openwrt 7.09 2.4 kernel installed on my wrt54g v2.0.  I have a web server that port 80 is being forwarded to but it seems that I need to configure both dropbear and my firewall to forwrad port 22 to that machine so I can do work remotely.  I was reading th4e docs that I could find but it seems the dropbear server installed does not support all of the features and I was wondering if anyone could help me with the config.  I tried just adding the -a option to forward requests to lan and set in my firewall where that should go but it seems that I would have to configure dropbear to send it there and just set the firewall to allow incomming connections on port 22.  This is what I'm attempting.

Instead of logging into openwrt and running passwd for root I copied an MD5 sum from my /etc/shadow file and pased it for root in /etc/passwd on the router.  From what I've read this stops the disabling of the SSH server and telnet server, although I've disabled telnet manualy.  I would like to have the router listen on port 23 for ssh connections to the router, using the firewall I am not allowing incoming connections on port 23.  On port 22 in the firewall I've set to forward to the ssh server in the lan.

From what I read on the net I would have to run dropbear to listen to both ports and forward one to another IP.  Using this setup I can also use the firewall to disallow anyone to remotely log into the router without stopping me from remotely logging into my system.  From what I read on the net I need to use the -L option which doesn't seem to be available in the openwrt version of dropbear.  Will I have to download a fuller featured version of drop bear to be able to do what I want?

Any assistance would be greatly appreciated.

Oh, and I don't even know what version of dropbear I have.  I'm sure I could go into the kamikaze change long and find out but the -V option was not included.

(Last edited by WrinkledCheese on 1 May 2008, 18:06)

From what I can tell I have to download dropbear and recompile it so that it isn't forwarding to the local address as explained in this PDF

http://www.infosecwriters.com/text_reso … neling.pdf its at the end of page 4, the grey part is the description to recompile dropbear for  openwrt on wrt54g

(Last edited by WrinkledCheese on 2 May 2008, 00:47)

You seem to be confused between destination NAT and ssh forwarding. If you just want incoming connections to port 22 to be forwarded to a pc then just set up your NAT rules to do that. You don't even need to change dropbear on the router to listen on port 23 if you are not going to allow connections to it from the wan. It does not sound like you need to recompile or even reconfigure dropbear. Also why did you copy the password hash instead of running passwd?

I don't want to access the router from the WAN, I am trying to make it so that port 23 is the routers dropbear and not allowing WAN connections to that port on the network.  That I can do.

I am using port 22 on my machine with sshd.  I tried making the router forward port 22 (and have dropbear only listen on 23) but I was getting connection refused and there is no firewall between the router and the system except the firewall.  I set it up just as I have for my web server and it didn't seem to forward the port.  All I did was add a line to the end of /etc/config/firewall.  When I do set up ssh forwarding through dropbear I can connect but from what I have read the dropbear packaged with OpenWRT is compiled to forward all dropbear forwards to local host.  That explains why when I did get connected it was always the router when it should have been forwarded either through the firewall or through both the firewall and the dropbear.  I read that in the PDF of my previous post at the end of page 4 I think.

I'm just trying to figure out if compiling dropbear is going to solve my problem.  It seems like it is but I'm not quite sure.

I copied and pasted because I read somewhere that once you run the passwd command, on OpenWRT, it disables the ssh and telnet daemons.  I telnet and paste the known hash in /etc/passwd.  Then I manually take down telnet, move dropbear to 23, enable wireless and configure essid and channel then forward my http port.  Other than that it's a stock kamikaze 7.09 k2.4 installation.  I locked myself out once with the firewall and once with ssh trying to get this system up so I can work on it from anywhere.

Yes, I understood that.

What I don't understand is why you need to run dropbear on port 23.  As I said in my last post, if you are not going to allow SSH connections to your router from the WAN then you don't need to change the port that dropbear listens on.

Unfortunately I don't have access to anything running OpenWrt right at the moment, but maybe there's another rule in the router's firewall that blocks port 22.  Try looking at the output of "iptables -nvL".

Well, it might.  I don't know, but I don't think it would be the best solution to the problem even if it did work.  You would be running one SSH session over another SSH session.  This is not likely to work optimally.

e.g. see this URL: http://sites.inka.de/~W1011/devel/tcp-tcp.html

No.  After you flash OpenWrt, telnet is enabled and SSH is disabled.
After you run "passwd", telnet is disabled and SSH is enabled.

See: http://wiki.openwrt.org/OpenWrtDocs/Using

In particular this part:

 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
 ------------------------------------------

This is for White Russian, but Kamikaze works the same way w.r.t. telnet/SSH and settings the password via the passwd command.

Well, this is more of a preference, just a port change for the non-primary server.

I checked and nothing was specifically blocking port 22.  As I've said.  I can set dropbear to listen to port 23 and forward port 22, but if I connect to port 22, which is also being forwarded by the firewall, it doesn't forward me I just get OpenWRT MoTD.

I just want to use scp so I can copy files.  CVS would also work but I have an easier time finding a browser based ssh client than cvs.  I'm trying to forward port 22 on the router to my ssh server on my machine while still listening on port 23 on the router.  I've tried, just iptables forwards, this works fine with HTTP and HTTPS.  I tried just dropbear.  I tried both.  The only thing I can get is onto the router when I forward in both the firewall and dropbear.  I am also modifying /etc/rc.d/S50dropbear to include the -a option when dropbear is run.  Netstat then shows a listening on both 22 and 23.

No.  After you flash OpenWrt, telnet is enabled and SSH is disabled.
After you run "passwd", telnet is disabled and SSH is enabled.

See: http://wiki.openwrt.org/OpenWrtDocs/Using

In particular this part:

 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
 ------------------------------------------

This is for White Russian, but Kamikaze works the same way w.r.t. telnet/SSH and settings the password via the passwd command.

I must have misread that part.  I don't think I got it from the docs though, maybe forum.