View previous topic :: View next topic |
Author |
Message |
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sun Jul 19, 2015 11:48 pm Post subject: How to block some ssh traffic, but not all [SOLVED] |
|
|
I have some non-computers on my LAN, two Samsung Smart TV's, a Samsung Galaxy S5 smart phone and an Amazon Firestick, along with my wife's Windows 7 laptop and five Gentoo desktops. I am concerned about security from the non-computers, especially with news reports of Samsung SmartTV's spying an viewers (http://www.bbc.com/news/technology-31296188).
I used to control ssh access with /etc/hosts.allow and /etc/hosts.deny,but Openssh doesn't support that anymore. It would appear that I need an iptables firewall, but, honestly, my eyes glaze over when reading the documentation and Wiki How To's. I emerged fwbuilder, thinking that might be an easy way, but it isn't and the documentation links don't work.
I block external access to port 22 with my router, but that doesn't help with devices on the LAN. All the router settings seem to control incoming and outgoing connections between the WAN and the LAN, but nothing internal to the LAN (D-Link DIR-655).
Isn't there a simple way, like hosts.allow/hosts.deny to block internal ssh traffic for only some ip addresses?
Last edited by Tony0945 on Mon Jul 20, 2015 4:22 pm; edited 1 time in total |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Mon Jul 20, 2015 12:46 am Post subject: |
|
|
iptables -A INPUT -p tcp --dport 22 -s blacklist-address -j DROP |
|
Back to top |
|
|
Buffoon Veteran
Joined: 17 Jun 2015 Posts: 1369 Location: EU or US
|
Posted: Mon Jul 20, 2015 12:48 am Post subject: |
|
|
You lost me, why are you trying to block SSH? If you do not want your spying devices to call home deny all traffic from them to the outside world. _________________ Life is a tragedy for those who feel and a comedy for those who think. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Jul 20, 2015 1:00 am Post subject: |
|
|
Buffoon wrote: | You lost me, why are you trying to block SSH? If you do not want your spying devices to call home deny all traffic from them to the outside world. |
If i do that they cannot retrieve video from the internet. But I don't want some bot trying to crack the passwords. I don't care if they talk to the outside world, just the inside world.
Have you ever read those license agreements? You are giving them carte blanche over your network. Better that they not even see other devices.
Hu's solution looks good. I'll try it. In fact, I'll check the man page and see if I can block all ports. |
|
Back to top |
|
|
Buffoon Veteran
Joined: 17 Jun 2015 Posts: 1369 Location: EU or US
|
Posted: Mon Jul 20, 2015 1:26 am Post subject: |
|
|
I still do not see what SSH has to do with it. Those devices are trying to harvest file listings from your network shares. Well, create a different subnet for them and let them call home if you think it is OK. I personally deny them all internet access (they are not plugged in, can't beat that!) and use MythTV and Kodi to play content from net. There are very affordable devices that allow you to play HD content from net using FOSS - you are in complete control. _________________ Life is a tragedy for those who feel and a comedy for those who think. |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Mon Jul 20, 2015 4:22 pm Post subject: |
|
|
Hu wrote: | iptables -A INPUT -p tcp --dport 22 -s blacklist-address -j DROP |
This works! Quote: | X3 ~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.0.190 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.191 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.192 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.193 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.194 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.195 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.196 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.197 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.198 anywhere tcp dpt:ssh
DROP tcp -- 192.168.0.199 anywhere tcp dpt:ssh
|
First I had to research why iptables was complaining about the kernel. This link explained how to set it up https://wiki.gentoo.org/wiki/Iptables#Kernel
Many many thanks, Hu. |
|
Back to top |
|
|
|