[NCLUG] iptables ssh protection, but with Linksys WRT54G DD-WRT?
Benson Chow
blc+nclug at q.dyndns.org
Wed Apr 12 17:50:26 MDT 2006
DDWRT is yet another open source WRT54G linux distribution. Instead of
simply adding on to Linksys firmware which seems to be the OpenWRT model,
it improves and changes whereever is needed and still retains full
opensource to the public. One of the biggest things I like in dd-wrt is
that it runs dropbear, a small ssh server/client. Their project is at
http://www.dd-wrt.org.
Anyway, unfortunately I have to run on the well known server port 22 as
the internet connection firewall that I mainly connect from prohibits
connections opened on anything but 22, 80, and 443. So I have to resort
to limiting exposure. So, as suggested last night and on
debian-administration, I used the following iptables commands, where
$inf is the interface:
iptables -I INPUT -p tcp --dport 22 -i $inf -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i $inf -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Both commands go through with no error on my little wrt54g, and didn't see
any warnings or errors in the logs. However, when I tried connecting to
it, it wouldn't reject the packets even if I spammed the port.
I've tried $inf all of (eth0 eth1 eth2 vlan0 vlan1 imq0 br0) to no avail.
The exact commands work fine on my full-sized 2.6.15 box, unlike this
little box.
The thing I haven't tried is my LAN setup, I have a pretty crappy layout -
Not sure if the there are multiple pathways for a packet to get through if
one way comes to a dead end?
On Wed, 12 Apr 2006, siegfried wrote:
> Benson: what is ddwrt2? Is that different than openwrt? I'd love to know
> exactly what commands you are trying and the results.
-bc
(Yes, someday, I'll need to segment my LAN better...maybe even do two drop
cable pulls...)
More information about the NCLUG
mailing list