Remote SSH port not forwarded

[hotzenpl0tz]

I have set my remote ssh port but I still can't connect remotely. A port scan reveals that the port is still closed, probably it isn't updated in the firewall rules ?

Thanks !

[Eric]

That's odd... I always have this feature active, and it's never failed for me.

Can you ssh into your router (locally) and show me the output of the following commands?

1) iptables -t nat -L
2) iptables -t mangle -L
3) iptables -t filter -L
4) uci show firewall

[hotzenpl0tz]

Hi, I sent you a link to the needed info via private message since I felt uncomfortable posting stuff like that online

[Eric]

I see a couple things in what you sent me. Based on your iptables output it's clear that the necessary rule isn't getting inserted into iptables. However, you have the proper rule defined in your uci firewall config.

I have an idea what may be causing the problem, but I'm not certain. There was a bug I fixed a couple weeks ago that was causing empty rules to be added to the firewall config. My observation was that they weren't doing any harm, but they really shouldn't be there, so I fixed it. I notice you have a couple empty rules, so you're probably using firmware from before I fixed this. It's possible they are preventing the proper rule from being generated. I don't see anything else that could possibly cause any problems.

So, try this: ssh in, then run the command "uci del firewall.@remote_accept[0] " 3 times. This will delete both the empty rules and remove the rule that allows remote ssh access.
Then download a fixed version of the access.js script, which is where the bug was, from where I've uploaded it here: http://gargoyle-router.com/experimental/access.js Use scp to transfer this script to your router into /www/js/access.js, which will replace the old version ( e.g. run "scp access.js root@[your router ip]:/www/js" ). Then, go back to the gargoyle GUI and re-check the box to re-enable remote ssh access, and save your changes.

If that still doesn't work, run the same four commands as before and send me the output via PM again.

[hotzenpl0tz]

Hmm, I used wget to download the new file and afterwards chmod +x to change the permissions. But still: when I use that new access.js file, the save configuration button doesn't seem to do anything. when I click it I don't get the message that the config is being saved. My old files are from february 23. btw - but I have gone through several versions the lasts weeks always backing up and restoring my configuration with the webinterface, if that matters.

[Eric]

Oops.. sorry about that. There's a more recent (fairly major) change to that file that is going to make everything fail unless you are actually running the latest version.

I just uploaded a new version of the access.js file (same link) which is from before the change that breaks backwards-compatibility.

Again, very sorry about that.

[hotzenpl0tz]

No need to be sorry This time the access.js file worked to the extend that he actually saved something. But still, I don't believe he did anything to the iptables rules. Wonder if this problem somehow relates to my dyndns problem ... Infos send via PM.

Strange thing is, I am pretty sure remote access has worked before with gargoyle - as has dyndns after your fix. But since I only use the remote access very sparely every few weeks I can't pinpoint a date or anything - I can only say my last update was february 23.

[Eric]

Aaaaah.... I see the problem. I should have seen it the first time but somehow I missed it. The problem is this:

Code: Select all

firewall.@include[0].path=/etc/parse_remote_accept.firewall

When I implemented loop-back forwarding the name/location of the script changed to reflect that it's doing more than handling remote connections. Since you copied this config file from an older version, it still has the old (invalid) location. Run this command:

Code: Select all

uci set firewall.@include[0].path="/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall"

(Note that is one command, even though it's getting wrapped to two lines in this post because it's fairly long)

Sorry I haven't been able to help any more with the dyndns issue -- As noted in the other thread I've tried again, but I just can't replicate what you're seeing. It seems to work fine for me. Are you sure you've entered your username/password/domain etc correctly?

[hotzenpl0tz]

Ah, thanks - it worked I had a hunch that keeping the old configuration could be the cause because of the many ongoing changes but I figured I might ask for help here anyway before starting of with a completely new config. For the dyndns problem, I will post in that thread to keep things clean and tidy here

[jackhues]

Its a really superb software Visit - Netman