Connecting to DSL-2740B via ssh

Back again struggling with a stupid issue related to dsl modem.

I was trying to connect to the modem via ssh, but no way to get i work, with ssh i got this log:

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-md5
debug1: kex: server->client 3des-cbc hmac-md5 none
debug2: mac_setup: setup hmac-md5
debug1: kex: client->server 3des-cbc hmac-md5 none
debug2: bits set: 539/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY

Server and client don’t share comunication informatin the right way, so the server decides to close the comunicating (Something that happens even with peoples in real life). So the client needs to force some parameters to set up the propre way to comunicate, in fact chipper and algorithm:

The command line becomes this:

ssh -o Ciphers=3des-cbc -o HostKeyAlgorithms=ssh-rsa,ssh-dss 192.168.1.1 -vv -l admin

To remember this configurations i use the .ssh/config

Host router
HostName 192.168.1.1
User admin
Ciphers 3des-cbc
HostKeyAlgorithms ssh-rsa,ssh-dss

 

Wake on Wan with DSL-2740B

Using wake on lan is quite simple, trying to use it from internet requires some extra attention.When you use WOL you send a broadcast packet to your modem/router and the modem /router propagates this broadcast packet to all Ethernet connected devices.

To send a WOL packet from internet been sure this packet arrives to your modem through internet you have to set the IP without broadcast.When the packed reaches the modem the modem tries to deliver the packet with the mac-address to a connected device using the routing tables.The routing table tells the modem to forward every packet from port 9 (the port usually used for WOL) to your workstation (this is because you previously set up the routing table.) So for example your packet should be sent to workstatio with ip 192.168.1.2. But your workstation is off line and so the router doesn’t know where IP 192.168.1.2 is.
How con you tell the modem that 192.168.1.2 is connected?

This job is done by the ARP (Address Lookup Table) of your modem, but the table is empty if your workstation is offline for a while or if your modem clears periodically the ARP table.

To add the missing entry in the ARP table you have to signin to your modem using telnet and from there you have to type this command using the right parameters:

arp add 192.168.1.2 11:22:33:44:55:66

Now you can send a WOL from internet and your workstation should wake up correctly.

 

Trasparent proxy with ADSL Router and Squid3

I recently bought a new D-Link ADSL ( DSL-2740B )modem/router in the hope to get WOL working over internet. The day after the really fast installation I found an unknown MAC  address in the wifi connection log. I thought it could be an unsuccessful attempt get into my lan, raising the log to debug the next day I found the same MAC address successfully connecting to my wifi. Ok I know my wifi password isn’t really secure, but I thought my neighbours wouldn’t be able to hack it nor they won’t have time to spend for such things. Anyway, how did he manage it? I want to know, but first I have to find out who he is, and the best way is to take a look at the pages he is looking at. How to do it without getting him know, very simple a transparent proxy.

Traspartent Squid3 proxy 

In the past I installed transparent proxies without problem, bu t everything was on the same machine (iptables, router, proxy). Now what I have is my htpc based on Ubuntu 13.04 and a D-Link router. Installing a transport proxy based on squid is very simple:

sudo apt-get install squid

Now edit your configuration file

nano /etc/squid3/squid.conf

Apply the following changes:

http_port 3128 transparent

acl localnet src 192.168.1.0/16

http_access allow localnet

This should be enough, remember to useyour net IPs, restart

sudo service squid3 stop ;sudo service squid3 start

Router configuration

Now this is the part which made me really happy in buying the new modem. If you look at the web interface you will never be able to get the things working, the web interface is too limited. But… if you connect to the router with telnet you have the power of a full linux environment. Running some commands I thought that it would be possible to route incoming http connections to the proxy and routing the answers back to the client. Perhaps this could work with other modems too, just try the command:

iptables -L -t nat

If you see an output you can manage to use your modem to route requests to your external proxy server, run this lines:

iptables -t nat -I PREROUTING 1 -s 192.168.1.3 -p tcp –dport 80 -j DNAT –to 192.168.1.2:3128
iptables -t nat -I POSTROUTING 1 -s 192.168.1.3 -d 192.168.1.2 -j SNAT –to 192.168.1.1
iptables -I FORWARD 1 -s 192.168.1.3 -d 192.168.1.2 -p tcp –dport 3128 -j ACCEPT

If you want to remove the routing rules just run the following commands:

iptables -t nat -D PREROUTING -s 192.168.1.3 -p tcp –dport 80 -j DNAT –to 192.168.1.2:3128
iptables -t nat -D POSTROUTING -s 192.168.1.3 -d 192.168.1.2 -j SNAT –to 192.168.1.1
iptables -D FORWARD -s 192.168.1.3 -d 192.168.1.2 -p tcp –dport 3128 -j ACCEPT

Be sure to do the follow things correctly to make everything work:

  • Don’t use -A (append) option but use -I $CHAIN 1 (insert at position one), so you will be sure your rules will be executed before the routers rules
  • Use the router DHCP to ensure your intruder get the IP you used in the router’s configuration
  • Be very carefully playing with iptables rules, bad things could happen 🙂

After some more try it seem that the only necessary rule s the first one:

iptables -t nat -I PREROUTING 1 -s 192.168.1.3 -p tcp –dport 80 -j DNAT –to 192.168.1.2:3128

Using the second rule makes the all requests arriving to the proxy coming from the router itself instead the remote machine.

WP to LinkedIn Auto Publish Powered By : XYZScripts.com