I need your wisdom and opinion on this. Thanks in advance and please read on.
I adopted bluesguy's version from Snowman with "prerouting_wan" and "input_wan", therefore no need to use/define variable $WAN or call ". /etc/functions.sh".
". /etc/functions.sh" and defining the variables shouldn't be necessary at all according to the wiki - at least for RC9.
Also the best way to start a module is to add it to "/etc/modules", therefore no need to add a insmod command into your firewall script (keeping it clean from non-iptables stuff).
You can easily add the module with the following command:
echo "ipt_recent" >> /etc/modules
And finally I needed SSH to be available on port 443 from outside, because of a restrictive firewall at work.
I wanted to keep port 22 for the LAN, therefore I had to redirect port 443 from WAN to 22 with "-j DNAT --to :22".
I know if I wanted port 22 to stay reachable I had to double all "prerouting_wan" rules, but I want to avoid any unnecessary open ports.
Here's where you come in:
1. As I'm a total newbie to iptables I don't know if there's a security gap left in my firewall script, due to the port redirection?
2. According to the wiki the package "kmod-ipt-extra" is also necessary. Is this still correct for RC9?
Here are my rules for SSH in "/etc/firewall.user":
# IPTables structure of OpenWRT: http://wiki.openwrt.org/OpenWrtDocs/IPTables
# Drop packets from WAN directly to port 22
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DROP
# Accepted packets from WAN on port 443 and redirect to port 22
iptables -t nat -A prerouting_wan -p tcp -m state --state NEW --dport 443 -m recent --set --name SSH_ATTACKER --rsource -j DNAT --to :22
iptables -A input_wan -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 180 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP
iptables -t nat -A prerouting_wan -p tcp --dport 443 -j DNAT --to :22
iptables -A input_wan -p tcp --dport 22 -j ACCEPT
I'm using X-Wrt/OpenWRT WR 0.9 for just some days and it is pretty amazing what is possible and how easy it is - except iptables
(Last edited by maddes.b on 3 Jul 2009, 19:21)