[LEDE-DEV] firewall/ip6tables problem

e9hack e9hack at gmail.com
Sun Feb 26 04:12:03 PST 2017


the same issue does occur, if I open a port by a rule in /etc/config/firewall:

config rule
	option name 'Allow SSH Inbound'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'
	option family 'ipv6'

Port 22 is open, if I execute port scan from outside to the lan ipv6 address.


Am 26.02.2017 um 11:08 schrieb e9hack:
> Hi,
> I add some rules to /etc/firewall.user to protect dropbear against ssh port scans:
> # SSH protection (ipv6)
> ip6tables -X ssh_scan
> ip6tables -N ssh_scan
> ip6tables -A ssh_scan -m recent --name SSH_BLOCK --rsource --update --seconds 1800 --reap -j RETURN
> ip6tables -A ssh_scan -m recent --name SSH_SCAN  --rsource --set
> ip6tables -A ssh_scan -m recent --name SSH_SCAN  --rsource ! --update --seconds 300 --hitcount 6 --reap  -j ACCEPT
> ip6tables -A ssh_scan -m recent --name SSH_BLOCK --rsource --set -j LOG --log-level info --log-prefix "SSH_SCAN blocked: "
> ip6tables -A input_wan_rule -p tcp --dport 22 -m conntrack --ctstate NEW -j ssh_scan
> My router gets a ipv6 address and prefix from my provider. IPv6 of the lan interface is set to prefix::1. If I start a
> port 22 scan from http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php, I get an open port
> for both ip address's (lan and wan) at the first time. After a few scans, there is no response. In the log files, I see
> entries with 'SSH_SCAN blocked:' for the wan interface for both ip address's (lan and wan). I was the opinion, only the
> port scan for the wan ip address is handled by input_wan_rule and the access to the lan address is handled by
> zone_wan_forward and is blocked immediately.
> How can I avoid, that port 22 on the lan interface is reachable from the outside world if I add rules for the wan interface?
> Regards,
> Hartmut

More information about the Lede-dev mailing list