External SSH access from certain IP ranges only

Discussion in 'Tomato Firmware' started by back0rifice, Oct 12, 2009.

  1. back0rifice

    back0rifice Network Guru Member


    Due to an increasing amount of brute force login attempts by a*holes mainly sitting in China, Korea aso... and the fact that this is flooding my logs I want to setup iptables so that SSH from external is only allowed from certain IP ranges and the rest is getting blocked.

    I think this should be fairly simple but my knowledge is limited... ;)

    Instread of trial & error and finally locking myself out I'm asking here for advice... :)

    I'm thinking of adding something like this to the Scripts/Firewall section in Tomato:

    iptables -A wanin -p tcp --dport 22 -J DROP
    iptables -A wanin -p tcp -m iprange --src-range <myrange> -j ACCEPT

    I know that newer versions of Tomato support to configure this via GUI but for pretty obvious reasons (see other thread *g*) I'm using 1.23.

    TIA for your help! :)
  2. mstombs

    mstombs Network Guru Member

    The ability to do this via the Gui has been there "forever", well it was there in 1.07 at least:-

    Remote Web/SSH Admin Restriction
    Allowed IP Address (optional; ex: "", "" or " -")

  3. gawd0wns

    gawd0wns Network Guru Member

    Setting your SSH server to run on a non-standard external port, and/or running your ssh server with public key authentication could be a solution for you, unless you know the exact ip ranges you will be accessing from...

    Also, if you have dyndns on your client, be aware that when you set the access restriction, the firewall will resolve your ip address at the time you set your restriction. If the client ip address changes, it will not be allowed to login to the router, unless your firewall is restarted, and the client ip is resolved again and saved... Something I learned a while ago :)
  4. back0rifice

    back0rifice Network Guru Member

    The problem is, that I can't specify multiple ranges! Whereas this used to work fine with 1.25 and later it doesn't seem to work with 1.23.

    e.g.: "," results in an error!
  5. back0rifice

    back0rifice Network Guru Member

    I'm using PK authentication but can't change the default port, unfortunately.

    Yes, I do have a dynamic IP. Can't I apply these rules to the WAN interface instead of the public IP address?
  6. back0rifice

    back0rifice Network Guru Member

    I implemented it as follows and it seems to do the trick:

    iptables -I INPUT -p tcp --dport 22 -j DROP
    iptables -I INPUT -p tcp --dport 22 -m iprange --src-range ... -j ACCEPT
    iptables -I INPUT -p tcp --dport 22 -s ... -j ACCEPT
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice