Hi, I add some rules to /etc/firewall.user to protect dropbear against ssh port scans:
# SSH protection (ipv6) ip6tables -X ssh_scan ip6tables -N ssh_scan ip6tables -A ssh_scan -m recent --name SSH_BLOCK --rsource --update --seconds 1800 --reap -j RETURN ip6tables -A ssh_scan -m recent --name SSH_SCAN --rsource --set ip6tables -A ssh_scan -m recent --name SSH_SCAN --rsource ! --update --seconds 300 --hitcount 6 --reap -j ACCEPT ip6tables -A ssh_scan -m recent --name SSH_BLOCK --rsource --set -j LOG --log-level info --log-prefix "SSH_SCAN blocked: " ip6tables -A input_wan_rule -p tcp --dport 22 -m conntrack --ctstate NEW -j ssh_scan My router gets a ipv6 address and prefix from my provider. IPv6 of the lan interface is set to prefix::1. If I start a port 22 scan from http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php, I get an open port for both ip address's (lan and wan) at the first time. After a few scans, there is no response. In the log files, I see entries with 'SSH_SCAN blocked:' for the wan interface for both ip address's (lan and wan). I was the opinion, only the port scan for the wan ip address is handled by input_wan_rule and the access to the lan address is handled by zone_wan_forward and is blocked immediately. How can I avoid, that port 22 on the lan interface is reachable from the outside world if I add rules for the wan interface? Regards, Hartmut _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
