IPtable rules for SSH and OPENVPN

[shooter40sw]

Hi guys, Im not very skilled on iptables, but I got the ssh and openvpn services but I know the IP address that Im connecting from, so I dond need the whole world trying to hack me..., I got SSH server with certificate no password allowed. but I would like to firewall it anyway, I read something about enable the jffs partition, is this mandatory? what happens if I implement the rules without this? I imagine if I boot the router I will lose them. Can anybody tell me hoy would the cli look like to permit on the firewall only access to the specific ports for openvpn and ssh from one or multiple IPs?

Thanks

 

[jobongo]

This can be done. Here is a way to setup the iptables from a specific ip address.


Here are the rules to allow SSH/VPN access from a specific IP where "xxx.xxx.xxx.xxx" is the source and "yyy.yyy.yyy.yyy" is the wan interface of the router. "PPP" is the protocol TCP/UDP. I used port 22 as it is the default for SSH. "OOO" is the port that you assign for the VPN. Default TCP for openvpn is 443 and UDP is 53.

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport 22 -j ACCEPT

Here is the rule to allow VPN access from a specific IP to connect to a server that you are hosting.

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport OO -j ACCEPT

The jffs is necessary with merlin if you want to have the setting survive reboot. It is easy to setup. If you don't feel comfortable using jffs then optware on a usb stick works good too.

Let me know if this works for your setup. I may have missed something and if I have let me know.

 

[vdemarco]

This can be done. Here is a way to setup the iptables from a specific ip address.


Here are the rules to allow SSH/VPN access from a specific IP where "xxx.xxx.xxx.xxx" is the source and "yyy.yyy.yyy.yyy" is the wan interface of the router. "PPP" is the protocol TCP/UDP. I used port 22 as it is the default for SSH. "OOO" is the port that you assign for the VPN. Default TCP for openvpn is 443 and UDP is 53.

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport 22 -j ACCEPT

Here is the rule to allow VPN access from a specific IP to connect to a server that you are hosting.

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport OO -j ACCEPT

The jffs is necessary with merlin if you want to have the setting survive reboot. It is easy to setup. If you don't feel comfortable using jffs then optware on a usb stick works good too.

Let me know if this works for your setup. I may have missed something and if I have let me know.

Awsome so will this block address XXX.XXX.XXX.XXX

iptables -I INPUT -i eth0 -s XXX.XXX.XXX.XXX -d `nvram get wan0_ipaddr` --dport 22 -j DROP

 

[jobongo]

Awsome so will this block address XXX.XXX.XXX.XXX

iptables -I INPUT -i eth0 -s XXX.XXX.XXX.XXX -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 22 -j DROP

yes that will drop IP xxx.xxx.xxx.xxx. If you want to block that IP on all ports then you don't need anything extra. Simply:

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP

The firewall shouldn't allow packets to be forwarded to the local LAN with the previous commands that I gave. There is another chain for that in the iptables called FORWARD that allows(or blocks) packets to traverse different networks so if you wanted to exclusively block access to the lan then you would have to do the following (zzz is the ip of the lan):

iptables -I FORWARD -i eth0 -o br0 -s xxx.xxx.xxx.xxx -d zzz.zzz.zzz.zzz/24 -p PPP --dport 22 -j DROP

 

[vdemarco]

yes that will drop IP xxx.xxx.xxx.xxx. If you want to block that IP on all ports then you don't need anything extra. Simply:

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP

The firewall shouldn't allow packets to be forwarded to the local LAN with the previous commands that I gave. There is another chain for that in the iptables called FORWARD that allows(or blocks) packets to traverse different networks so if you wanted to exclusively block access to the lan then you would have to do the following (zzz is the ip of the lan):

iptables -I FORWARD -i eth0 -o br0 -s xxx.xxx.xxx.xxx -d zzz.zzz.zzz.zzz/24 -p PPP --dport 22 -j DROP

So i added this rule


iptables -I INPUT -s 121.28.72.197 -j DROP


which should drop that ip address, that didn't work.

I also have a nat set up for ssh, so does that mean that i need to add the above rule to the nat table instead??

 

[RMerlin]

The INPUT table controls what connects with your router. The FORWARD table controls what connects to PCs on your network.

 

[vdemarco]

The INPUT table controls what connects with your router. The FORWARD table controls what connects to PCs on your network.

I found this link

http://www.frozentux.net/iptables-tutorial/chunkyhtml/c962.html

which has the state machine diagram. Since i have nat rules set up, seems i have to add them to the nat table.

i added this command to the nat-start

iptables -t nat -I PREROUTING -s 121.28.72.197 -j DROP

since i am forwarding ssh requests to a particular machine on the network, the nat rules will finish processing the request and will never get to the INPUT table.

nat PREROUTING seems that its always called after the mangle tables. At least thats how i read it.

 

[RMerlin]

I found this link

http://www.frozentux.net/iptables-tutorial/chunkyhtml/c962.html

which has the state machine diagram. Since i have nat rules set up, seems i have to add them to the nat table.

i added this command to the nat-start

iptables -t nat -I PREROUTING -s 121.28.72.197 -j DROP

since i am forwarding ssh requests to a particular machine on the network, the nat rules will finish processing the request and will never get to the INPUT table.

nat PREROUTING seems that its always called after the mangle tables. At least thats how i read it.

Both locations should work. I prefer to use the FORWARD table because this way I ensure the rule will only be applied to devices on my LAN, while entries in the PREROUTING chain will be applied to any packet received from WAN, regardless of whether it's destined to your router or your LAN.

 

[vdemarco]

Both locations should work. I prefer to use the FORWARD table because this way I ensure the rule will only be applied to devices on my LAN, while entries in the PREROUTING chain will be applied to any packet received from WAN, regardless of whether it's destined to your router or your LAN.

Okay that makes more sense, thanks.

 

[shooter40sw]

This can be done. Here is a way to setup the iptables from a specific ip address.


Here are the rules to allow SSH/VPN access from a specific IP where "xxx.xxx.xxx.xxx" is the source and "yyy.yyy.yyy.yyy" is the wan interface of the router. "PPP" is the protocol TCP/UDP. I used port 22 as it is the default for SSH. "OOO" is the port that you assign for the VPN. Default TCP for openvpn is 443 and UDP is 53.

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport 22 -j ACCEPT

Here is the rule to allow VPN access from a specific IP to connect to a server that you are hosting.

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport OO -j ACCEPT

The jffs is necessary with merlin if you want to have the setting survive reboot. It is easy to setup. If you don't feel comfortable using jffs then optware on a usb stick works good too.

Let me know if this works for your setup. I may have missed something and if I have let me know.

Thanks!, but I tried to do this and it did not work, I can see the IPtables entrie with the iptables -L I place the IP address of the source with the -s command, and the -d I place my ISP IP address, but when I go to GRC.com to test my IP it fails the port for openvpn stays open, Im using openvpn on the router. I must be missing something what else can I do? My SSH and OPENVPN server is the Router, that's what I'm looking to restrict access, thanks

 

[shooter40sw]

I'm tried this but it does not work, it does appear in the iptables -L command:
ACCEPT tcp -- 190.xxx.xxx.xxx 190-xxx-xxx-xxx.dyn.dsl.xxxx.net tcp dpt:webcache
SSH and Openvpn are on the router, when I go to GRC to probe the port for open vpn it says its open, and it should be closed to them. Thanks

 

[jobongo]

vdemarco,

Merlin Said:

The INPUT table controls what connects with your router. The FORWARD table controls what connects to PCs on your network.

This is correct. I apologize for leading you in the wrong direction. The INPUT table rules would apply if you are connecting the router itself. I was under the impression that this was the case. I was wrong to say that this should not allow access to your local lan as it does.

 

[jobongo]

shooter40sw,

Are you connecting directly to the Internet with the Asus router or are you going through another router. If you have port forwarding setup on the ISP Router then GRC will show that the port is open but once it hits the ASUS router it will be blocked. I am trying to understand what you are doing with this rule.

ACCEPT tcp -- 190.xxx.xxx.xxx 190-xxx-xxx-xxx.dyn.dsl.xxxx.net tcp dpt:webcache

Do you want allow SSH/VPN only from a specific IP? Your dport in the previous command is webcache, port 2048. Is there a reason for this? Also, if I am not mistaken webcache is UDP not TCP. Try change the "--dport" command with the port number of the services that you are running (TCP 22 for SSH for example) and post results. There should be an implicit deny rule also at the end of the INPUT chain. Can you post the output of this command

iptables -L INPUT -v

Make sure to hide private info like IP, etc.

 

[shooter40sw]

shooter40sw,

Are you connecting directly to the Internet with the Asus router or are you going through another router. If you have port forwarding setup on the ISP Router then GRC will show that the port is open but once it hits the ASUS router it will be blocked. I am trying to understand what you are doing with this rule.

ACCEPT tcp -- 190.xxx.xxx.xxx 190-xxx-xxx-xxx.dyn.dsl.xxxx.net tcp dpt:webcache

Do you want allow SSH/VPN only from a specific IP? Your dport in the previous command is webcache, port 2048. Is there a reason for this? Also, if I am not mistaken webcache is UDP not TCP. Try change the "--dport" command with the port number of the services that you are running (TCP 22 for SSH for example) and post results. There should be an implicit deny rule also at the end of the INPUT chain. Can you post the output of this command

iptables -L INPUT -v

Make sure to hide private info like IP, etc.

This is the output, my setup is like follows,
I have my ISP ADSL Modem and I connect to the Asus router to the WAN

I have enabled SSH and Openvpn enabled on the router as services I dont forward anything to other machines I use them to browse securely on untrusted networks, I want to be able to reach the router just by one public IP at this time, I want these services just to work on a fixed IP that I know and block any other IPs. I tested a moment ago with SSH and it worked like I wanted but not with openvpn

With SSH I turned off the switch in the GUI of the router so It cant be reached from the WAN and then applied the following

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -p TCP --dport PPP -j ACCEPT

This worked because the GRC shields up could not reach the SSH por but the IP that I placed did work, but cant do the same with the openvpn I just start the service and its open to all, I want to to do the same as SSH
Thanks for the help


o@RT-N66U:/tmp/home/root# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
228 11574 DROP all -- any any anywhere anywhere state INVALID
12299 1601K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
14 3476 ACCEPT all -- lo any anywhere anywhere state NEW
6661 747K ACCEPT all -- br0 any anywhere anywhere state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
570 280K DROP all -- any any anywhere anywhere

 

[jobongo]

shooter40sw,

If you want to allow the VPN access to your router from your wan then add this to the INPUT chain . Let's say that you are using TCP port 2000 and the IP address that you want to allow is 75.65.1.1:

iptables -I INPUT -i eth0 -s 75.65.1.1 -p tcp --dport 2000 -j ACCEPT

Make sure that you are using the right protocol (TCP/UDP) and port number. You may also need to add some FORWARD rules depending on what you are trying to do.

 

[peraburek]

I have tried this for SSH, but it doesn't work

iptables -I INPUT -i eth0 -s X.X.X.X -p tcp --dport 22 -j ACCEPT

SSH is enabled with LAN Only settings, however I want to allow only specific IP to access SSH, but this rule doesn't work