# How to block some ssh traffic, but not all  [SOLVED]

## Tony0945

I have some non-computers on my LAN, two Samsung Smart TV's, a Samsung Galaxy S5 smart phone and an Amazon Firestick, along with my wife's Windows 7 laptop and five Gentoo desktops. I am concerned about security from the non-computers, especially with news reports of Samsung SmartTV's spying an viewers (http://www.bbc.com/news/technology-31296188).

I used to control ssh access with /etc/hosts.allow and /etc/hosts.deny,but Openssh doesn't support that anymore. It would appear that I need an iptables firewall, but, honestly, my eyes glaze over when reading the documentation and Wiki How To's. I emerged fwbuilder, thinking that might be an easy way, but it isn't and the documentation links don't work.

I block external access to port 22 with my router, but that doesn't help with devices on the LAN. All the router settings seem to control incoming and outgoing connections between the WAN and the LAN, but nothing internal to the LAN (D-Link DIR-655).

Isn't there a simple way, like hosts.allow/hosts.deny to block internal ssh traffic for only some ip addresses?Last edited by Tony0945 on Mon Jul 20, 2015 4:22 pm; edited 1 time in total

----------

## Hu

iptables -A INPUT -p tcp --dport 22 -s blacklist-address -j DROP

----------

## Buffoon

You lost me, why are you trying to block SSH? If you do not want your spying devices to call home deny all traffic from them to the outside world.

----------

## Tony0945

 *Buffoon wrote:*   

> You lost me, why are you trying to block SSH? If you do not want your spying devices to call home deny all traffic from them to the outside world.

 

If i do that they cannot retrieve video from the internet. But I don't want some bot trying to crack the passwords. I don't care if they talk to the outside world, just the inside world.

Have you ever read those license agreements? You are giving them carte blanche over your network. Better that they not even see other devices.

Hu's solution looks good. I'll try it. In fact, I'll check the man page and see if I can block all ports.

----------

## Buffoon

I still do not see what SSH has to do with it. Those devices are trying to harvest file listings from your network shares. Well, create a different subnet for them and let them call home if you think it is OK. I personally deny them all internet access (they are not plugged in, can't beat that!) and use MythTV and Kodi to play content from net. There are very affordable devices that allow you to play HD content from net using FOSS - you are in complete control.

----------

## Tony0945

 *Hu wrote:*   

> iptables -A INPUT -p tcp --dport 22 -s blacklist-address -j DROP

 

This works!  *Quote:*   

> X3 ~ # iptables -L
> 
> Chain INPUT (policy ACCEPT)
> 
> target     prot opt source               destination
> ...

 

First I had to research why iptables was complaining about the kernel. This link explained how to set it up https://wiki.gentoo.org/wiki/Iptables#Kernel

Many many thanks, Hu.

----------

