RASG
Regular Contributor
Hey all.
I decided to allow only IPs from my country (Brazil) to connect to my RT-AC66U on port 22, since i travel only once a year.
I want to be able to SSH into my router from anywhere in the country, without exposing it to the rest of the world.
So far i have the below script, which works fine on my ubuntu desktop.
Can someone help me convert it to our routers?
If i missed something during the translation and google is not of much help, feel free to ask.
I decided to allow only IPs from my country (Brazil) to connect to my RT-AC66U on port 22, since i travel only once a year.
I want to be able to SSH into my router from anywhere in the country, without exposing it to the rest of the world.
So far i have the below script, which works fine on my ubuntu desktop.
Can someone help me convert it to our routers?
If i missed something during the translation and google is not of much help, feel free to ask.
Code:
#!/bin/bash
# script de inclusao de regra no iptables
# aceita conexoes das classes de ip do brasil
# recusa todas as outras
# atualmente aplicado para a porta 22 (ssh)
#
# ultima alteracao: RAG 09/01/2015
LOCALNETWORK=(127.0.0.0/8 192.168.0.0/24)
IPCLASSES_NAMES=(ar.zone br.zone)
IPCLASSES_PATH="http://www.ipdeny.com/ipblocks/data/countries"
WORKINGDIR="/tmp"
echo
echo "Starting script IP-block"
echo
# always allow local network
for RANGE in "${LOCALNETWORK[@]}"; do
echo "Bloqueando tudo o que for diferente de $RANGE na porta 22 (SSH)"
# iptables version doesnt have -C
# applying (-D) and (-A)
iptables -D INPUT ! -s $RANGE -p tcp --dport 22 -j DROP
iptables -A INPUT ! -s $RANGE -p tcp --dport 22 -j DROP
done
# ip externo
for PAIS in "${IPCLASSES_NAMES[@]}"; do
FILE_REMOTE="$IPCLASSES_PATH/$PAIS"
FILE_LOCAL="$WORKINGDIR/$PAIS"
echo "Saving file $PAIS to $WORKINGDIR"
WGET_OUTPUT=$(2>&1 wget -N $FILE_REMOTE -P $WORKINGDIR)
echo "Reading file $FILE_LOCAL"
if echo "$WGET_OUTPUT" | egrep -i '(saved|salvando)' &> /dev/null; then
echo "File $FILE_LOCAL updated"
while read LINHA; do
echo "Bloqueando tudo o que for diferente de $LINHA na porta 22 (SSH)"
iptables -A INPUT ! -s $LINHA -p tcp --dport 22 -j DROP
done < $FILE_LOCAL
else
echo "File $FILE_LOCAL didnt change"
echo "No new rules will be applied"
fi
done
echo
echo "Finishing script IP-block"
echo