1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dynamic configuration of iptables

Discussion in 'Tomato Firmware' started by hpsmartyz, Oct 12, 2007.

  1. hpsmartyz

    hpsmartyz LI Guru Member


    since I have opened ports on my GL towards a syno behind, I am subject to brute force attacks with login dictonaries (auth log files exceed 5Mo in few days).
    I would like to try something and would like your advice on the feasibility.
    Taking the assumption I am able to get the attacking IP @s from log files (if there is a better way, I am open to any suggestion) could I ask my syno to update the iptables and so block the IP @ directly on the router.

    I have read here that this command would do the trick
    iptables -I FORWARD -d xxx.xxx.xxx.xxx -j DROP

    The question is how could I pass this command to the router?
    - via telnet?
    - or could the router read a script/definition file hosted on the syno where
    these instructions would be collected?

    Subsidiary question, is leaving telnet continuously running on the router a breach in the security (from the WAN) ?

    Last, but important question, is my idea silly? :biggrin:

    many thanks
  2. u3gyxap

    u3gyxap Network Guru Member

    Nope. If it is coming to the router, it should be like this:
    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
    You either pass it via ssh/telnet, or put it in the firewall script section in the web GUI.
    Normaly, telnet should be disabled, since it is unsecured. Use SSH instead, with 9+ characters password.
  3. hpsmartyz

    hpsmartyz LI Guru Member


    thanks for your answer and guidance.
    I guess putting this automatically in the web gui will be difficult
    so I'll go for telnet/ssh.

    Are ssh and telnet accessible from the outside or only from the LAN?


Share This Page