Community discussions

MikroTik App
  4. RouterOS
  5. General

Hot to use port 222 for ssh access?

Post Reply
 
User avatar
kameelperdza
Member
Member
Topic Author
Posts: 468
Joined: Thu Nov 27, 2008 11:45 am
Location: Oudtshoorn, South Africa

Hot to use port 222 for ssh access?

Thu Dec 09, 2010 12:44 pm

Hi there i am trying to forward all ssh requests on port 222 to go to port 22. But im having some trouble.
Here is the rule that i have added.
The reason why i want to do this is so that i can log into router if i have locked myself out.
I stil want to allow port 22 for admin users.
Code: Select all
ip firewall filter add chain=input action=accept src-port=222 
dst-port=22 protocol=tcp
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Hot to use port 222 for ssh access?

Thu Dec 09, 2010 1:20 pm

You need to mark the connection and then use a nat.
Code: Select all
/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=newssh protocol=tcp in-interface=ether1 dst-port=222

/ip firewall nat
add chain=dstnat action=dst-nat to-ports=22 protocol=tcp dst-port=222 connection-mark=newssh
add chain=srcnat action=src-nat to-ports=222 protocol=tcp src-port=22 connection-mark=newssh
If ether1 is not your wan interface, change that to the correct interface.

Then from a shell on a remote computer:
ssh x.x.x.x -p 222 -l username
or
ssh x.x.x.x -l username
Top
 
User avatar
kameelperdza
Member
Member
Topic Author
Posts: 468
Joined: Thu Nov 27, 2008 11:45 am
Location: Oudtshoorn, South Africa

Re: Hot to use port 222 for ssh access?

Thu Dec 09, 2010 2:03 pm

thank you
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Hot to use port 222 for ssh access?

Thu Dec 09, 2010 4:34 pm

If your goal is to prevent locking yourself out of your router, you might want to put a "failsafe" filter rule in your router.
Code: Select all
/ip firewall filter
add chain=input action=accept src-address=x.x.x.x/y
print
move X 0
Change X to the line number of the new rule, and x.x.x.x/y to the ip/subnet of the remote computers that should have unlimited access to the router OS. This new rule should be the first rule in your filter.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Hot to use port 222 for ssh access?

Thu Dec 09, 2010 4:47 pm

Sorry to butt in, but this can be done with one line:
Code: Select all
ip firewall nat add dst-address-type=local dst-port=222 protocol=tcp action=redirect to-ports=22 chain=dstnat
That said I agree that you should rather either whitelist an IP block like Tim described, or look up port knocking (there was a US MUM 2010 presentation on it with great detail), or look into VPNs.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: Hot to use port 222 for ssh access?

Thu Dec 09, 2010 4:55 pm

Fewi is correct about port knocking. I use a Blackberry, and the ip changes as I move from provider to provider. It allows me to port knock and get in from anywhere.

I did not see the MUM presentation, but I use "mousetraps" on the ports immediately above and below the port knock port. If you hit one of those first (port scanning), you are blocked for a day.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 190 guests
  4. RouterOS
  5. General