> Hi, > Im having problems with limiting ssh access to my router, it acts like a > router and a firewall, and i need only my office ip able to connect to the > router. > All my other rules works just fine(FORWARD).. im probarly just got the > INPUT > command messed up.. > > This is some of my firewall script. > > iptables -F > iptables -X > iptables -Z > > iptables -P INPUT ACCEPT > iptables -P OUTPUT ACCEPT > iptables -P FORWARD DROP > > iptables -A INPUT -i lo -p all -j ACCEPT > iptables -A OUTPUT -o lo -p all -j ACCEPT The policy for both chains is already ACCEPT. Why do it again ? > # SSH access router > iptables -A INPUT -i eth0 -s ! "my office ip" -d "router ip" > -p tcp --dport 22 -j DROP Try this : # This drops anything you don't allow. $IPT -P INPUT DROP # You want to allow RELATED and ESTABLISHED packets. $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # You want to allow the initial ssh connection (the rest # is handled by the previous rule). $IPT -A INPUT -m state --state NEW -i eth0 -s <office_ip> \ -d <router_ip> -p tcp --dport 22 -j ACCEPT This should do what you want and is clearer I think. Gr, Rob
