Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

The RediGate uses a Linux operating system, with standard Linux tooling (iptables, etc.) available for firewall configuration.

...

Then add one or more entries in the "Custom IPTABLES" table. In Custom IPTABLES, if a command line is longer than 80 characters, it must be broken into more than one row, with a tilde or backslash ( ~  or  \ ) character as a line continuation character.

For example, the 3rd and 4th rows in the following table allows ping commands and allows Custom IPTABLES table allow access to SSH port 22 on Ethernet port 0 (eth0on the cellular port (ppp0), but only from the range of client addresses 192.168.0.1 to 192.168.0.200. All other hosts would be blocked on port 22. The last two table rows are a single command joined with the continuation character (backslash).

Image Removed

The 1st and 2nd rows of the table allow ping commands inbound and outbound on any interface.

 

iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -i ppp0 --dport 22 -j ACCEPT \

 -m iprange --src-range 192.168.0.1-192.168.0.200

 

Image Added

Info
Consult online documentation and/or man pages for "iptables" help, to understand how to construct the correct conditional rules for iptables.

...

The tilde (~) indicates a continuation to the next row. The seconds (120) and hitcount (4) can be adjusted as needed (seconds=lockout time, hitcount=attempt# to start blocking).

# The following lines block SSH attempts after 3 tries, for 2 minutes

iptables -A INPUT -p tcp --dport 22 -m state --state NEW  -m recent --set ~

 --name SSH

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update ~

 --seconds 120 --hitcount 4 --rttl --name SSH -j DROP

# NOTE: Do NOT add ppp0 (port 22) into Port Management, only do it here

iptables -A INPUT -p tcp -i ppp0 --dport 22 -j ACCEPT

 

In addition, the Firewall "INPUT Policy" should be set to "Drop All Input Packets," and the "Port Management" section of the Firewall configuration should not include an "ACCEPT Packet" rule for port 22 on the public network.

Instead, the last line (above) in Custom IPTABLES should be used to ACCEPT port 22 over the cellular (ppp0) and/or Ethernet (eth0, eth1, etc.) interface . This line (or lines, for multiple interfaces) must (use one line per command). These lines ACCEPTing port 22 must come after the preceding lines that check whether to block repeated failed SSH login attempts. You may combine this example with the previous example to further limit access to port 22 from specific IP address range(s).

 

Change SSH Port Number

Another step that can be taken to limit access to unauthorized users from logging in to the RediGate is to change the default port (22) for SSH to a different, non-standard port.

The RediGate does not have a configuration property for the SSH port in ACE, but it can be changed from a 'root' level user. Below are the steps to change the SSH port number from 22 to 2222.

Warning

NOTE: This process may cause you to lose remote TCP connectivity to the RediGate. Make sure that you follow the instructions exactly, including the firewall rule for the new port.

You may want to test this procedure in a lab environment before trying it remotely with a field-installed unit.

  1. Log in to the RediGate with the 'root' account.
  2. Enter the following command, substituting the intended port number instead of "2222":
    P=2222 ; sed -i 's/[#]*Port[ ]*[0-9]*/Port '$P'/' /etc/sshd_config
  3. Add one or more new temporary firewall rules with the command, using your port number instead of "2222", and using the correct interface in place of "ppp0":
    iptables -A INPUT -p tcp -i ppp0 --dport 2222 -j ACCEPT

    AND/OR, you will ultimately need to configure a permanent, proper firewall rule setting to ACCEPT the new port number using the ACE Firewall object (see above).

  4. Restart sshd with the following command (make sure to include the  &  at the end):
    /etc/init.d/S50sshd restart &

    All existing SSH sessions will be closed. Log back in using the new port number.