Menu
What's new
By:
Filters Better Search

IPtable rules for SSH and OPENVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

shooter40sw

shooter40sw

Senior Member
Hi guys, Im not very skilled on iptables, but I got the ssh and openvpn services but I know the IP address that Im connecting from, so I dond need the whole world trying to hack me..., I got SSH server with certificate no password allowed. but I would like to firewall it anyway, I read something about enable the jffs partition, is this mandatory? what happens if I implement the rules without this? I imagine if I boot the router I will lose them. Can anybody tell me hoy would the cli look like to permit on the firewall only access to the specific ports for openvpn and ssh from one or multiple IPs?

Thanks
 
This can be done. Here is a way to setup the iptables from a specific ip address.


Here are the rules to allow SSH/VPN access from a specific IP where "xxx.xxx.xxx.xxx" is the source and "yyy.yyy.yyy.yyy" is the wan interface of the router. "PPP" is the protocol TCP/UDP. I used port 22 as it is the default for SSH. "OOO" is the port that you assign for the VPN. Default TCP for openvpn is 443 and UDP is 53.

Code: 
iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport 22 -j ACCEPT

Here is the rule to allow VPN access from a specific IP to connect to a server that you are hosting.

Code: 
iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport OO -j ACCEPT

The jffs is necessary with merlin if you want to have the setting survive reboot. It is easy to setup. If you don't feel comfortable using jffs then optware on a usb stick works good too.

Let me know if this works for your setup. I may have missed something and if I have let me know.
 
jobongo said:
This can be done. Here is a way to setup the iptables from a specific ip address.


Here are the rules to allow SSH/VPN access from a specific IP where "xxx.xxx.xxx.xxx" is the source and "yyy.yyy.yyy.yyy" is the wan interface of the router. "PPP" is the protocol TCP/UDP. I used port 22 as it is the default for SSH. "OOO" is the port that you assign for the VPN. Default TCP for openvpn is 443 and UDP is 53.

Code: 
iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport 22 -j ACCEPT

Here is the rule to allow VPN access from a specific IP to connect to a server that you are hosting.

Code: 
iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport OO -j ACCEPT

The jffs is necessary with merlin if you want to have the setting survive reboot. It is easy to setup. If you don't feel comfortable using jffs then optware on a usb stick works good too.

Let me know if this works for your setup. I may have missed something and if I have let me know.
Click to expand...

Awsome so will this block address XXX.XXX.XXX.XXX

iptables -I INPUT -i eth0 -s XXX.XXX.XXX.XXX -d `nvram get wan0_ipaddr` --dport 22 -j DROP
 
Last edited:
Awsome so will this block address XXX.XXX.XXX.XXX

iptables -I INPUT -i eth0 -s XXX.XXX.XXX.XXX -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 22 -j DROP
Click to expand...

yes that will drop IP xxx.xxx.xxx.xxx. If you want to block that IP on all ports then you don't need anything extra. Simply:

Code: 
iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP

The firewall shouldn't allow packets to be forwarded to the local LAN with the previous commands that I gave. There is another chain for that in the iptables called FORWARD that allows(or blocks) packets to traverse different networks so if you wanted to exclusively block access to the lan then you would have to do the following (zzz is the ip of the lan):
Code: 
iptables -I FORWARD -i eth0 -o br0 -s xxx.xxx.xxx.xxx -d zzz.zzz.zzz.zzz/24 -p PPP --dport 22 -j DROP
 
Last edited:
jobongo said:
yes that will drop IP xxx.xxx.xxx.xxx. If you want to block that IP on all ports then you don't need anything extra. Simply:

Code: 
iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP

The firewall shouldn't allow packets to be forwarded to the local LAN with the previous commands that I gave. There is another chain for that in the iptables called FORWARD that allows(or blocks) packets to traverse different networks so if you wanted to exclusively block access to the lan then you would have to do the following (zzz is the ip of the lan):
Code: 
iptables -I FORWARD -i eth0 -o br0 -s xxx.xxx.xxx.xxx -d zzz.zzz.zzz.zzz/24 -p PPP --dport 22 -j DROP
Click to expand...

So i added this rule


iptables -I INPUT -s 121.28.72.197 -j DROP


which should drop that ip address, that didn't work.

I also have a nat set up for ssh, so does that mean that i need to add the above rule to the nat table instead??
 
The INPUT table controls what connects with your router. The FORWARD table controls what connects to PCs on your network.
 
RMerlin said:
The INPUT table controls what connects with your router. The FORWARD table controls what connects to PCs on your network.
Click to expand...

I found this link

http://www.frozentux.net/iptables-tutorial/chunkyhtml/c962.html

which has the state machine diagram. Since i have nat rules set up, seems i have to add them to the nat table.

i added this command to the nat-start

iptables -t nat -I PREROUTING -s 121.28.72.197 -j DROP

since i am forwarding ssh requests to a particular machine on the network, the nat rules will finish processing the request and will never get to the INPUT table.

nat PREROUTING seems that its always called after the mangle tables. At least thats how i read it.
 
Last edited:
vdemarco said:
I found this link

http://www.frozentux.net/iptables-tutorial/chunkyhtml/c962.html

which has the state machine diagram. Since i have nat rules set up, seems i have to add them to the nat table.

i added this command to the nat-start

iptables -t nat -I PREROUTING -s 121.28.72.197 -j DROP

since i am forwarding ssh requests to a particular machine on the network, the nat rules will finish processing the request and will never get to the INPUT table.

nat PREROUTING seems that its always called after the mangle tables. At least thats how i read it.
Click to expand...

Both locations should work. I prefer to use the FORWARD table because this way I ensure the rule will only be applied to devices on my LAN, while entries in the PREROUTING chain will be applied to any packet received from WAN, regardless of whether it's destined to your router or your LAN.
 
RMerlin said:
Both locations should work. I prefer to use the FORWARD table because this way I ensure the rule will only be applied to devices on my LAN, while entries in the PREROUTING chain will be applied to any packet received from WAN, regardless of whether it's destined to your router or your LAN.
Click to expand...

Okay that makes more sense, thanks.
 
jobongo said:
This can be done. Here is a way to setup the iptables from a specific ip address.


Here are the rules to allow SSH/VPN access from a specific IP where "xxx.xxx.xxx.xxx" is the source and "yyy.yyy.yyy.yyy" is the wan interface of the router. "PPP" is the protocol TCP/UDP. I used port 22 as it is the default for SSH. "OOO" is the port that you assign for the VPN. Default TCP for openvpn is 443 and UDP is 53.

Code: 
iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport 22 -j ACCEPT

Here is the rule to allow VPN access from a specific IP to connect to a server that you are hosting.

Code: 
iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p PPP --dport OO -j ACCEPT

The jffs is necessary with merlin if you want to have the setting survive reboot. It is easy to setup. If you don't feel comfortable using jffs then optware on a usb stick works good too.

Let me know if this works for your setup. I may have missed something and if I have let me know.
Click to expand...

Thanks!, but I tried to do this and it did not work, I can see the IPtables entrie with the iptables -L I place the IP address of the source with the -s command, and the -d I place my ISP IP address, but when I go to GRC.com to test my IP it fails the port for openvpn stays open, Im using openvpn on the router. I must be missing something what else can I do? My SSH and OPENVPN server is the Router, that's what I'm looking to restrict access, thanks
 
Last edited:
I'm tried this but it does not work, it does appear in the iptables -L command:
ACCEPT tcp -- 190.xxx.xxx.xxx 190-xxx-xxx-xxx.dyn.dsl.xxxx.net tcp dpt:webcache
SSH and Openvpn are on the router, when I go to GRC to probe the port for open vpn it says its open, and it should be closed to them. Thanks
 
vdemarco,

Merlin Said:

The INPUT table controls what connects with your router. The FORWARD table controls what connects to PCs on your network.
Click to expand...

This is correct. I apologize for leading you in the wrong direction. The INPUT table rules would apply if you are connecting the router itself. I was under the impression that this was the case. I was wrong to say that this should not allow access to your local lan as it does.
 
shooter40sw,

Are you connecting directly to the Internet with the Asus router or are you going through another router. If you have port forwarding setup on the ISP Router then GRC will show that the port is open but once it hits the ASUS router it will be blocked. I am trying to understand what you are doing with this rule.
Code: 
ACCEPT tcp -- 190.xxx.xxx.xxx 190-xxx-xxx-xxx.dyn.dsl.xxxx.net tcp dpt:webcache

Do you want allow SSH/VPN only from a specific IP? Your dport in the previous command is webcache, port 2048. Is there a reason for this? Also, if I am not mistaken webcache is UDP not TCP. Try change the "--dport" command with the port number of the services that you are running (TCP 22 for SSH for example) and post results. There should be an implicit deny rule also at the end of the INPUT chain. Can you post the output of this command

Code: 
iptables -L INPUT -v

Make sure to hide private info like IP, etc.
 
jobongo said:
shooter40sw,

Are you connecting directly to the Internet with the Asus router or are you going through another router. If you have port forwarding setup on the ISP Router then GRC will show that the port is open but once it hits the ASUS router it will be blocked. I am trying to understand what you are doing with this rule.
Code: 
ACCEPT tcp -- 190.xxx.xxx.xxx 190-xxx-xxx-xxx.dyn.dsl.xxxx.net tcp dpt:webcache

Do you want allow SSH/VPN only from a specific IP? Your dport in the previous command is webcache, port 2048. Is there a reason for this? Also, if I am not mistaken webcache is UDP not TCP. Try change the "--dport" command with the port number of the services that you are running (TCP 22 for SSH for example) and post results. There should be an implicit deny rule also at the end of the INPUT chain. Can you post the output of this command

Code: 
iptables -L INPUT -v

Make sure to hide private info like IP, etc.
Click to expand...

This is the output, my setup is like follows,
I have my ISP ADSL Modem and I connect to the Asus router to the WAN

I have enabled SSH and Openvpn enabled on the router as services I dont forward anything to other machines I use them to browse securely on untrusted networks, I want to be able to reach the router just by one public IP at this time, I want these services just to work on a fixed IP that I know and block any other IPs. I tested a moment ago with SSH and it worked like I wanted but not with openvpn

With SSH I turned off the switch in the GUI of the router so It cant be reached from the WAN and then applied the following

iptables -I INPUT -i eth0 -s xxx.xxx.xxx.xxx -p TCP --dport PPP -j ACCEPT

This worked because the GRC shields up could not reach the SSH por but the IP that I placed did work, but cant do the same with the openvpn I just start the service and its open to all, I want to to do the same as SSH
Thanks for the help


o@RT-N66U:/tmp/home/root# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
228 11574 DROP all -- any any anywhere anywhere state INVALID
12299 1601K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
14 3476 ACCEPT all -- lo any anywhere anywhere state NEW
6661 747K ACCEPT all -- br0 any anywhere anywhere state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
570 280K DROP all -- any any anywhere anywhere
 
shooter40sw,

If you want to allow the VPN access to your router from your wan then add this to the INPUT chain . Let's say that you are using TCP port 2000 and the IP address that you want to allow is 75.65.1.1:

Code: 
iptables -I INPUT -i eth0 -s 75.65.1.1 -p tcp --dport 2000 -j ACCEPT

Make sure that you are using the right protocol (TCP/UDP) and port number. You may also need to add some FORWARD rules depending on what you are trying to do.
 
I have tried this for SSH, but it doesn't work

iptables -I INPUT -i eth0 -s X.X.X.X -p tcp --dport 22 -j ACCEPT

SSH is enabled with LAN Only settings, however I want to allow only specific IP to access SSH, but this rule doesn't work
 
You must log in or register to reply here.

Similar threads

S
Need SSH-customizable security-oriented router with strong firmware, drivers, and kernel support
Replies
11
Views
675
SDF07S
S
I
One OpenVPN server and two clients with certificates
Replies
0
Views
846
Igor
I
A
Starting OpenVPN with TAP Client seems to crash RT-AX86U
2
Replies
22
Views
3K
sojomy
S
JemTheWire
OpenVPN on pfSense v2.6.0. **** Solved ****
Replies
1
Views
1K
JemTheWire
JemTheWire
C
Firewall Rules - Block all connections except VPN
Replies
8
Views
4K
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
U IPtable entries not saving? Asuswrt-Merlin 9
D Proper VPN Policy Rules Asuswrt-Merlin 2
D Rules wrong Asuswrt-Merlin 11
K Toggle VPN Director rules for WireGuard via SSH Asuswrt-Merlin 2
M Advance firewall rules Asuswrt-Merlin 5
L Wireguard with vpn director rules disable hardware acceleration? Asuswrt-Merlin 15
A PS5 port forwarding and VPN rules Asuswrt-Merlin 4
devhell How I can dynamically manage VPN director rules list by CLI Asuswrt-Merlin 0
C VPN Policy rules director Asuswrt-Merlin 1
mixels Possible to configure RT-AX86U w/ Merlin with more than 64 port forwarding rules? Asuswrt-Merlin 9

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 760 (members: 16, guests: 744)
Top