How to get ssh RemoteForward working?

[dahart]

Hi, can I ask a possibly stupid question here?

I'm trying to get ssh remote port forwarding working on my Asus RT-AC3200. I'm running Asuswrt-Merlin 380.65 (updated yesterday).

Regular port forwarding is working just fine, I can use the webui to setup port forwarding, and it works for me (as long as NAT acceleration is disabled). What I'm having trouble with is using the -R or RemoteForward options of an ssh connection.

Is there some other step I'm missing? I'm wondering if there might be some webui settings I need to change, or maybe routing or commands I need to run or ssh options I should be using to get the port to open and forward to a machine inside my home network.

Here's what I've observed, what I've tried, and the settings I have that I suspect are relevant:

- WebUI port forwarding works correctly.
- ssh LocalForward (-L) is working correctly, I can run ssh and connect to a local port that gets forwarded to the Asus' LAN net.
- ssh DynamicForward (-D) is working correctly, I can successfully use the Asus+ssh connection as a SOCKS proxy.
- The ssh RemoteForward command I'm using is working correctly on another device inside my network, so I'm sure the ssh command is configured correctly.
- When I was running 380.64 yesterday, ssh RemoteForward was working on the Asus' LAN address, but not on it's WAN address -- I could only connect to the forwarded port if I used 10.0.1.1 from inside the LAN, but the port wouldn't connect using my DDNS address.
- Today using 380.65, I haven't been able to get either the LAN address or the WAN address to respond. (I'm not certain the FW version has anything to do with it, just mentioning it.)
- I can run httpd on a random port on the Asus, and connect to it on both LAN & WAN addresses.

Settings:
ssh is set to WAN+LAN, allow port forwarding is set to YES, I've tried with Brute Force Protection both on & off.
Most of my testing has involved Enable Firewall set to "No"; I assumed the Firewall needs to be turned off, but I'm not sure.
I've tried toggling the NAT loopback setting (noting the LAN/WAN discrepancy yesterday), but saw no difference.
I have NAT acceleration disabled.
I have webui Port Forwarding enabled, but have tried turning it off thinking maybe it overrides what ssh is trying to do. No difference. Most of the time I've had no port forwarding entries in the table.

I don't yet know how to use or read iptables properly, or whether I would even see ssh port forwards listed there (yes I am someone who only knows enough to get himself into trouble). However, I did dump my iptables after reading some other threads here. I diffed the tables from before and after running ssh with various forwarding configs in them, and I saw no differences relevant to the ssh command, nor the ports that were forwarded and working, so I started thinking iptables might not help me debug this, or I didn't look at the right tables? The commands I tried & diffed were: "iptables --table nat --list -v" and "iptables --list -v".

Am I overlooking something obvious? Is there something special I should be doing to allow ssh to open a port to listen on?

 

[ColinTaylor]

Most of my testing has involved Enable Firewall set to "No"; I assumed the Firewall needs to be turned off, but I'm not sure.

Never turn off the router's firewall unless you have another device acting as a firewall between you and the internet.

 

[dahart]

Never turn off the router's firewall unless you have another device acting as a firewall between you and the internet.

Sounds good to me. Are you implying that having the Firewall enabled will not interfere with either webui or ssh port forwarding?

I only disabled it because after Googling why I couldn't get webui port forwarding working, most people either reported success by disabling NAT acceleration or disabling the firewall. Once I did both of those, my webui port forwarding worked the way I hoped/expected.

This is tangential to my ssh question of course, but I'd love to learn more -- does the Firewall do something beyond the filter rules? For example, the default settings have the URL, Keyword, and Network Services filters disabled. The general firewall was enabled, but only IPv6 firewall was on by default, and the description seems to suggest that only unsolicited inbound IPv6 traffic is blocked. Is having the general firewall enabled doing some IPv4 filtering, even with the other 3 filters turned off?

I would also love to learn a little more about what the likely threats are with Firewall disabled, just for my own edification -- are there ways hackers can get inside the LAN if I don't have any port forwarding turned on? I'm generally conscientious about the services I run on machines inside the LAN, and I've tried to disable services I don't use and harden the services I do use, but devices and software in my house are certainly doing lots of things that I'm not entirely aware of. With the firewall disabled but no port forwarding, what are the most likely dangers & attack vectors?

 

[ColinTaylor]

Are you implying that having the Firewall enabled will not interfere with either webui or ssh port forwarding?

The router will create the appropriate firewall rules to allow the traffic through. If the rules don't work with the firewall enabled then either the rules are wrong or there's a bug in the firmware (a few people have reported port forwarding issues with recent builds).

I feel your other question about firewalls is too broad to be answered meaningfully in a forum. There are plenty of books available on the subject though. Suffice it to say the firewall is your router's primary line of defence, it should not be disabled lightly. Case in point, there were multiple reports recently in these forums where peoples routers had been hacked because they had enabled web access from the WAN.

 

[sfx2000]

Never turn off the router's firewall unless you have another device acting as a firewall between you and the internet.

As long as he's still NAT'ed he's actually safe... NAT is a firewall by design...

But I agree and concurrently caution here - be mindful of services opened up on any public facing interface.

 

[ColinTaylor]

As long as he's still NAT'ed he's actually safe... NAT is a firewall by design...

NAT will protect his LAN but not his router. Now of course, there shouldn't be any unwanted router services listening on the WAN interface... but how many times have we seen that to not be the case. And once you add in IPv6 it's a whole new ball game.

 

[sfx2000]

NAT will protect his LAN but not his router. Now of course, there shouldn't be any unwanted router services listening on the WAN interface... but how many times have we seen that to not be the case.

concur - and there, one shouldn't be running any services that are not necessary for the router to do it's job.

There is where folks start getting into trouble with security issues.

 

[dahart]

concur - and there, one shouldn't be running any services that are not necessary for the router to do it's job.

There is where folks start getting into trouble with security issues.

I totally agree, and I think I am fairly mindful personally, but I appreciate the warning, and I know it's a useful reminder to others who might be reading.

But -- in this case with ssh -R, I'm specifically and intentionally trying to expose a local service on my laptop to the internet, and having trouble making it work. I'm aware of the risks and would like to be able to setup port forwards on the fly as necessary using ssh, as part of my web development work. Do you guys have any insight or advice or tool suggestions for tracking down why the Asus router's sshd might not be respecting or responding to the ssh RemoteForward option? I didn't mention before, but I also tried using a LocalForward originating from the router, forwarding to my laptop, and that didn't work either. I am able to use webui static port forwarding from the router to my laptop or other devices inside my network, so I'm not stuck. But using ssh to expose ports on the fly would be simpler, quicker, safer, and more flexible, and I also *really* want to understand why it's not working the way I expect and how people normally track this kind of issue down.

 

[ColinTaylor]

@dahart Check the dropbear process on your router. There was a discussion here about a conflict in the parameters one of which (-k) disables remote port forwarding. Perhaps remote port forwarding is always disabled.