OpenWrt Forum Archive

Topic: Block ssh access using IP tables

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
alirz
27 Aug 2015, 23:23

hi,
im running openwrt on my wrt1900ac router.

I already have ssh access over WAN to my router. Im trying to limit the IPs that can ssh to the router.

I've tried adding several IPtables rules but i cant seem to block ssh access.

Currently the /etc/config/firewall has the following rule that enables ssh over WAN in the first place
---------------------------------------------------
config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '22'
        option name 'ssh'
---------------------------------------------------

Now i've added the following rulers in the custom filewal rulles, where x.x.x.0 is the external i want to allow for ssh access over WAN. eth1 is my WAN port on the router:

-------------------------------------------------------------------------------------------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 22 -s  x.x.x.0/24 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 --state NEW,ESTABLISHED,RELATED -j DROP
-------------------------------------------------------------------------------------------------------------------------------------------

however even with that rule i can ssh from WAN IP to the router. Its worth mentioning that i do have a port forwaring rule on the router that routes port 22 from WAN to the router itself. I see that, that rule itself allows access from external IP. Could that rule be over writing my iptables rule?

Any help please?

(Last edited by alirz on 27 Aug 2015, 23:26)

Post #3
arokh
28 Aug 2015, 12:27

Firewalling rules are traversed top-down and stops when matched. Do the math smile

The discussion might have continued from here.