exclude router's SSH port

bridge-install.sh

@@ -163,4 +163,11 @@ echo "Set net.ipv4.ip_forward=1 in /etc/sysctl.conf"
 mkdir -p /var/lib/dnsmasq/
 echo "Created /var/lib/dnsmasq/"
 
+# Set up the SSH server. The port number may change and we won't always
+# know what it used to be, so just remove all lines starting with "Port "
+sed -i '/^Port /d' /etc/ssh/sshd_config
+echo "Port $ROUTER_SSH_PORT" >> /etc/ssh/sshd_config
+systemctl restart ssh
+echo "Set SSH server port to $ROUTER_SSH_PORT"
+
 echo -e "\n\n\n==============\nDone!\nNow reboot!"

bridge/bridge-lan.sh

@@ -88,10 +88,12 @@ iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -t nat -I POSTROUTING -o $WLAN_IFACE -j MASQUERADE
 echo "Created iptables to route traffic between nets"
 
-# Port forward everything to the single client
+# Exclude the SSH port from forwarding so we can still administer the router
+iptables -t nat -A PREROUTING -i $WLAN_IFACE -p tcp --dport $ROUTER_SSH_PORT -j RETURN
+# Forward all other ports to the single wired device
 iptables -t nat -A PREROUTING -i $WLAN_IFACE -j DNAT --to-destination $BRIDGED_CLIENT_IP
 iptables -t nat -A POSTROUTING -o $ETH_IFACE -j MASQUERADE
-echo "Port forwarded everything to the single bridged client"
+echo "Redirected the router's ports to the single bridged client"
 
 echo -en "\nRestarting dnsmasq..."
 service systemd-resolved stop

config/config.sh.example

@@ -7,6 +7,10 @@ WIFI_SSID="Example-Network"
 WIFI_USERNAME="username"
 WIFI_PWD="password"
 
+# Make this port accessible on the router and have its SSH server on it.
+# The installer will modify the SSH server's config.
+ROUTER_SSH_PORT=64535
+
 # "transparent": the bridge device clones the client's MAC address and NATs traffic to a private LAN. Only supports one bridged client.
 # TODO: support bridging multiple clients connected to an ethernet hub
 # BRIDGE_MODE="transparent"