Using the firewall (iptables) to block SSH attempts from WAN

    Hi,


    I've spent the evening on this but I now admit defeat.


    I am finding it very difficult to get ssh locked down so that connections can only be made in my lan. I've tried hosts.deny/allow, ssh_config and now ip tables and I've still not got a result.


    I like the idea of using iptables as I can then extend that to other protocols to lock those down also.


    So what I've done is flush my ip tables


    Code
    iptables -F


    Then I've put in the rules to accept traffic from lan address pool for ssh (1234 changed for my actual port)


    Code
    iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 1234 -m state --state NEW,ESTABLISHED -j ACCEPT


    Accept traffic for outbound ssh traffic


    Code
    iptables -A OUTPUT -o eth0 -p tcp --dport 1234 -m state --state ESTABLISHED -j ACCEPT


    Drop ssh traffic attempts for everyone else


    Code
    iptables -A INPUT -p tcp --dport 1234 -j DROP


    Now this freezes my shell, despite being connected on a lan address. Having read around I found the following command prevents my shell from freezing, but as soon as I end the session and try to reconnect I'm locked out.


    Code
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


    From what I can tell all that does above is accept any connections that are already established (not v.useful to me).


    Can anyone lend a hand with this?
    Would be greatly appreciated.
    Thanks

    Some more information could help:
    - is your WLAN another adapter in your NAS Box?
    - has your WLAN a specific adress range?


    You mention openVPN. Is your NAS server? Client? Routed/bridged setup? ... etc ...

    Hey!


    Nothing is wireless. I have a MicroServer n40l with omv 4 and that sits on my lan under the usual 192.168.0.0 network. It is an OpenVPN server and all client traffic goes through it. I'm trying to secure my set up my locking down all the ports unless the incoming packets are from a local network


    So.. 10.8.0.0 (OpenVPN) addresses
    and 192.168.0.0 other local clients.


    I want to connect to the box externally but only via the OpenVPN client. I've followed a few guides where people are achieving a similar thing but omv deals with iptables in a slightly different way to other debian builds. I've tried webmin but that's a bit too advanced for me at the moment. Think I'll uninstall that and see if anyone has any ideas on here.
    Thanks


    Edit: Also of note when I use cli to insert my iptable rules they all get lost when I reboot the server.

    I don't get it. You are not using your OMV as a router and did not mention that you have 2 nics to even try this. Your OMV is on a router, with a firewall, and you would have to port forward from the router to give access to OMV via WAN. So what gives? If you don't port forward port 22 there is nothing to worry about. The only port you need to forward is port 1194 UDP and leave other ports closed on your firewall router. Explain yourself.


    Also, you can use hosts allow and hosts deny to control which pcs have access to ssh. You could narrow it to say 2 machines only if you want, or just the machines you use.

    I didn't realise the modem/router had a firewall, colour me stupid but I haven't got a networking degree so go easy. Forums are also a place to learn and without knowing everything it's difficult to explain fully.


    Thanks for the info, looks like I was already protected then as long as I don't forward port 22 on the router.

    If you give make and model of your router someone can most likely help you. A lot ISP's give you a device today that has the modem/router/switch/firewall all combined in one unit. They all have a web interface and you need to know how to access it.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden