Hot to use port 222 for ssh access?

kameelperdza · December 9, 2010, 10:44am

Hi there i am trying to forward all ssh requests on port 222 to go to port 22. But im having some trouble.
Here is the rule that i have added.
The reason why i want to do this is so that i can log into router if i have locked myself out.
I stil want to allow port 22 for admin users.

ip firewall filter add chain=input action=accept src-port=222 
dst-port=22 protocol=tcp

SurferTim · December 9, 2010, 11:20am

You need to mark the connection and then use a nat.

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=newssh protocol=tcp in-interface=ether1 dst-port=222

/ip firewall nat
add chain=dstnat action=dst-nat to-ports=22 protocol=tcp dst-port=222 connection-mark=newssh
add chain=srcnat action=src-nat to-ports=222 protocol=tcp src-port=22 connection-mark=newssh

If ether1 is not your wan interface, change that to the correct interface.

Then from a shell on a remote computer:
ssh x.x.x.x -p 222 -l username
or
ssh x.x.x.x -l username

kameelperdza · December 9, 2010, 12:03pm

thank you

SurferTim · December 9, 2010, 2:34pm

If your goal is to prevent locking yourself out of your router, you might want to put a “failsafe” filter rule in your router.

/ip firewall filter
add chain=input action=accept src-address=x.x.x.x/y
print
move X 0

Change X to the line number of the new rule, and x.x.x.x/y to the ip/subnet of the remote computers that should have unlimited access to the router OS. This new rule should be the first rule in your filter.

fewi · December 9, 2010, 2:47pm

Sorry to butt in, but this can be done with one line:

ip firewall nat add dst-address-type=local dst-port=222 protocol=tcp action=redirect to-ports=22 chain=dstnat

That said I agree that you should rather either whitelist an IP block like Tim described, or look up port knocking (there was a US MUM 2010 presentation on it with great detail), or look into VPNs.

SurferTim · December 9, 2010, 2:55pm

Fewi is correct about port knocking. I use a Blackberry, and the ip changes as I move from provider to provider. It allows me to port knock and get in from anywhere.

I did not see the MUM presentation, but I use “mousetraps” on the ports immediately above and below the port knock port. If you hit one of those first (port scanning), you are blocked for a day.