hi,
im running openwrt on my wrt1900ac router.
I already have ssh access over WAN to my router. Im trying to limit the IPs that can ssh to the router.
I've tried adding several IPtables rules but i cant seem to block ssh access.
Currently the /etc/config/firewall has the following rule that enables ssh over WAN in the first place
---------------------------------------------------
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '22'
option name 'ssh'
---------------------------------------------------
Now i've added the following rulers in the custom filewal rulles, where x.x.x.0 is the external i want to allow for ssh access over WAN. eth1 is my WAN port on the router:
-------------------------------------------------------------------------------------------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 22 -s x.x.x.0/24 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 --state NEW,ESTABLISHED,RELATED -j DROP
-------------------------------------------------------------------------------------------------------------------------------------------
however even with that rule i can ssh from WAN IP to the router. Its worth mentioning that i do have a port forwaring rule on the router that routes port 22 from WAN to the router itself. I see that, that rule itself allows access from external IP. Could that rule be over writing my iptables rule?
Any help please?
(Last edited by alirz on 27 Aug 2015, 23:26)