1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPtables: block SSH access except from certain IPs

Discussion in 'Tomato Firmware' started by Spooky, Jan 28, 2013.

  1. Spooky

    Spooky Serious Server Member

    This is not really tomato specfic, but I am trying to create iptables rules (which I will add under Administration - Scripts - Firewall on Tomato on a WRT54GL) which will block all incoming SSH traffic, except from certain IPs. i.e., I want only to allow specific external IPs to connect via SSH to either the router or any server behind it (connections from the LAN to the router via SSH should always be accepted).

    I was thinking of something like this:
    # drop SSH
    iptables -A INPUT -m layer7 --l7proto ssh -j DROP
    # accept SSH from certain IPs
    iptables -A INPUT -m layer7 --l7proto ssh -s -j ACCEPT
    iptables -A INPUT -m layer7 --l7proto ssh -s -j ACCEPT
    iptables -A INPUT -m layer7 --l7proto ssh -s -j ACCEPT
    But I am not sure, if this really does what I want it to do... if I append the first DROP rule (-A) for SSH traffic, wouldn't it be overriden by any port forwarding rules (e.g. I want to forward port 8022 or whatever to a specific server behind the WRT54GL)? I am not even sure if I used the syntax correctly ;). Also this would probably also block all SSH access to the WR54GL from LAN?

    I would appreciate any hints :)
  2. koitsu

    koitsu Network Guru Member

    This is absolutely not what you want to do. Your rules are quite wrong in a lot of regards. The biggest mistake, hands down, no questions asked, is your use of the layer7 module. You are blocking/permitting based on source address, which is layer 3, not layer 7. You do not need to look at the data/payload of the packet to make this determination.

    Please see other threads on the forum explaining how to do this stuff. There are lots of them. :)
  3. gfunkdave

    gfunkdave LI Guru Member

    Just use the build-in GUI in Tomato to do this, on the Admin Access screen.
  4. Spooky

    Spooky Serious Server Member

    Ah, oops ;). Well, I solved the problem that I originally wanted to solve differently now. On the network in question, there is a Synology DiskStation running, which servers as a backup server for several other DiskStations distributed somewhere else. In order to use the default network backup functionality with transfer encryption, you have to keep port 22 open though (port is hard coded unfortunately). This opens up the DiskStation to brute force attack via SSH. Which is not that serious though, every IP is blocked after 5 failed attempts anyway, by using the default Auto Block functionality. But it's a bit annoying and has at least some potential for a security breach. Thus I wanted to only allow SSH connections from specific IPs.

    However, I have now connected these DiskStations to the main one via VPN. In one case I even had to do that, because the network admin blocked port 22 in both directions... :rolleyes: (or just SSH via layer7)

    Another alternative would have been to use PubKey-Auth, which is possible to do on the DiskStations, but I am not sure if the network backup client tool is able to use that, in order to authenticate on the remote DiskStation.

    Hm, what exactly do you mean? I don't see anything there that could help. I am not talking about restricting SSH access to only the WRT54GL router, I wanted to block all incoming SSH connections (regardless of their target), except for specific IPs. Or does the field "Allowed Remote IP Address" apply globally, not just for direct access to the router?

    The first thing I tried is using a rule via "Access Restrictions", but the excluded IPs there will only work from within the LAN, not from WAN & LAN. Thus my next thought was to create custom IPtables rules.
  5. koitsu

    koitsu Network Guru Member

    Look very, very carefully at all the fields under an entry in Port Forwarding -> Basic. You will find what you need. You might expand the "Notes" section and read those too. If you still need me to point it out, then I will do so, but I think you'll be able to figure it out.
  6. Spooky

    Spooky Serious Server Member

    Oh, lol, silly me.. yeah, I could have just as well only forwarded the port for those specific IPs. :oops:

Share This Page