[LEDE-DEV] firewall/ip6tables problem
e9hack
e9hack at gmail.com
Sun Feb 26 02:08:44 PST 2017
Hi,
I add some rules to /etc/firewall.user to protect dropbear against ssh port scans:
# SSH protection (ipv6)
ip6tables -X ssh_scan
ip6tables -N ssh_scan
ip6tables -A ssh_scan -m recent --name SSH_BLOCK --rsource --update --seconds 1800 --reap -j RETURN
ip6tables -A ssh_scan -m recent --name SSH_SCAN --rsource --set
ip6tables -A ssh_scan -m recent --name SSH_SCAN --rsource ! --update --seconds 300 --hitcount 6 --reap -j ACCEPT
ip6tables -A ssh_scan -m recent --name SSH_BLOCK --rsource --set -j LOG --log-level info --log-prefix "SSH_SCAN blocked: "
ip6tables -A input_wan_rule -p tcp --dport 22 -m conntrack --ctstate NEW -j ssh_scan
My router gets a ipv6 address and prefix from my provider. IPv6 of the lan interface is set to prefix::1. If I start a
port 22 scan from http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php, I get an open port
for both ip address's (lan and wan) at the first time. After a few scans, there is no response. In the log files, I see
entries with 'SSH_SCAN blocked:' for the wan interface for both ip address's (lan and wan). I was the opinion, only the
port scan for the wan ip address is handled by input_wan_rule and the access to the lan address is handled by
zone_wan_forward and is blocked immediately.
How can I avoid, that port 22 on the lan interface is reachable from the outside world if I add rules for the wan interface?
Regards,
Hartmut
More information about the Lede-dev
mailing list