Restrict sshd access with dns names

Discussion in 'Tomato Firmware' started by testpil0t, Jan 11, 2010.

  1. testpil0t

    testpil0t Addicted to LI Member

    Hello! I would like to allow only certain ips to connect to my sshd, the remote site has a dynamic ip and the admin acces section isn't accepting dns names. Would i be possible to create a iptables rule with the dns name, or at least a variable that points to an ip ? I would update the variable with a second script every x hours! Could you tell me how such an iptables rule would look like ?
  2. gawd0wns

    gawd0wns Network Guru Member

  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The option discussed in that thread to provide a DNS name in the GUI for this field is something I added to my builds, but it is not in the stock Tomato. That thread does show what the resulting IPTABLES look like, though.

    You could put:
    iptables -t nat -A PREROUTING -s <DNS name here> -d `nvram get wan_ipaddr` -p tcp --dport `nvram get sshd_rport` -j DNAT --to-destination `nvram get lan_ipaddr`:`nvram get sshd_port`
    That would be the equivalent of putting a DNS name in the GUI field (if it accepted it). The problem with that (as the thread gawd0wns mentioned points out), is that the DNS name is only resolved whenever the firewall is (re)started. However, you can add a job to restart the firewall periodically to force it to re-resolve the DNS name.
  4. testpil0t

    testpil0t Addicted to LI Member

    Thanks for your reply! Don't i need one more iptables rule to block everything plus the one metioned above to allow only this ip ? If i put a static ip into the box in admin access, and apply the rule via shell i can't connect from the remote site!

    Edit: The Log shows me that the firewall is dropping the connection!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice