Blocking addresses with iptables

In this scenario, the host running sshguard runs iptables, that has to be configured for accepting blocking rules from sshguard.

Adding a blocking chain for sshguard

Let iptables create a new chain in which sshguard will append blocking rules:

# for regular IPv4 support:
iptables -N sshguard
# if you want IPv6 support as well:
ip6tables -N sshguard

Update the INPUT chain to also pass the traffic to the sshguard chain at the very end of its processing. Specify in --dport all the ports of services your sshguard protects. If you want to prevent attackers from doing any traffic to the host, remove the option completely:

# block any traffic from abusers
iptables -A INPUT -j sshguard
ip6tables -A INPUT -j sshguard

        -- or --

# block abusers only for SSH, FTP, POP, IMAP services (use "multiport" module)
iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard

Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.

Here is a sample ruleset that makes sense:

iptables -N sshguard
# block whatever SSHGuard says be bad ...
iptables -A INPUT -j sshguard
# enable ssh, dns, http, https
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# and block everything else (default deny)
iptables -P INPUT DROP

Making configuration persistent

When rebooting, most systems reset the firewall configuration by default. To preserve your configuration, you usually use the iptables-save and iptables-restore utilities. However, each Linux variant has its own right way:

Latest Releases View all»

  • sshguard 1.5 This is a milestone release, coming after 18 months ...
  • sshguard 1.5 Sshguard monitors services through their logging activity. It reacts ...
  • sshguard 1.5rc4 This release candidate fixes the last known bugs submitted ...

F.A.Q. View all»