TorBox how to disable SSH access torbox from LAN and WLAN?

Hi, how to disable possibility to connect on torbox from devices connected from 192.168.43.x and 192.168.42.x ?

Aug 06 '21 21:08 ghost

Currently, if you are connected with a cable, you can only disable the TorBox Wifi, which disables 192.168.42.x See entry 9 in the Configuration menu.

If you want to disable the SSH access from the client side (192.168.43.x and 192.168.42.x), probably the easiest way is to deactivate/remove the following line in set_interfaces:

$IPTABLES -t nat -A PREROUTING -i $I_DEVICE -d $MY_OWN_IP -p tcp -j REDIRECT

..and in set_interfaces_2:

$IPTABLES -t nat -A PREROUTING -i $I_DEVICE1 -d $MY_OWN_IP1 -p tcp -j REDIRECT
$IPTABLES -t nat -A PREROUTING -i $I_DEVICE2 -d $MY_OWN_IP2 -p tcp -j REDIRECT

Aug 06 '21 21:08 radio24

sorry, but how i can remove these lines?

torbox@TorBox042:~/torbox $ IPTABLES -t nat -A PREROUTING -i $I_DEVICE -d $MY_OWN_IP -p tcp -j REDIRECT
-bash: IPTABLES: command not found

I'm not familiarized with iptables, :(

Aug 07 '21 07:08 ghost

If I were you, I would test the change first by changing the active iptables: sudo iptables -t nat -D REDIRECT -p tcp -d 192.168.42.1

That should prevent the possibility to make a new SSH connection to the TorBox. If the outcome is what you were looking for, you can make it permanent by opening set_interfaces and set_interfaces_2 (in /home/torbox/torbox type nano set_interfaces / nano set_interfaces_2 and removing the three lines mentioning above.

Aug 08 '21 12:08 radio24

torbox@TorBox042:~/torbox $ sudo iptables -t nat -D REDIRECT -p tcp -d 192.168.42.1 iptables v1.8.2 (nf_tables): Chain 'REDIRECT' does not exist

what i do wrong?

Aug 08 '21 19:08 ghost

Ah, sorry, it is my error. The chain is called PREROUTING and the command is the following: sudo iptables -t nat -D PREROUTING -p tcp -d 192.168.42.1

Aug 08 '21 19:08 radio24

Ah, sorry, it is my error. The chain is called PREROUTING and the command is the following: sudo iptables -t nat -D PREROUTING -p tcp -d 192.168.42.1

torbox@TorBox042:~/torbox $ sudo iptables -t nat -D PREROUTING -p tcp -d 192.168.42.1 iptables: Bad rule (does a matching rule exist in that chain?).

Aug 08 '21 19:08 ghost

Could you give me the output of sudo iptables -t nat -L?

Aug 08 '21 19:08 radio24

torbox@TorBox042:~/torbox $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             192.168.42.1
REDIRECT   tcp  --  anywhere             anywhere             redir ports 9040
REDIRECT   udp  --  anywhere             anywhere             udp dpt:domain redir ports 9053
REDIRECT   udp  --  anywhere             anywhere             redir ports 9040

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Aug 08 '21 19:08 ghost

Try the following to remove line number 1 (REDIRECT tcp -- anywhere 192.168.42.1): sudo iptables -D PREROUTING 1

Aug 08 '21 19:08 radio24

torbox@TorBox042:~/torbox $ sudo iptables -D PREROUTING 1 iptables v1.8.2 (nf_tables): Chain 'PREROUTING' does not exist correct i executed command?

Aug 08 '21 19:08 ghost

How about: sudo iptables -t nat -D PREROUTING 1

Aug 08 '21 19:08 radio24

How about: sudo iptables -t nat -D PREROUTING 1

executed successfully! what next? i want to block access from LAN 192.168.43.x

Aug 08 '21 19:08 ghost


torbox@TorBox042:~/torbox $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             redir ports 9040
REDIRECT   udp  --  anywhere             anywhere             udp dpt:domain redir ports 9053
REDIRECT   udp  --  anywhere             anywhere             redir ports 9040

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Aug 08 '21 19:08 ghost

what next? i want to block access from LAN 192.168.43.x

Try to make a new ssh connection. That should fail.

Aug 08 '21 19:08 radio24

all work fine, also i saved iptables with netfilter-persistent save

Aug 08 '21 20:08 ghost

maybe you add in next release option to disable SSH from 192.168.42.x and 192.168.43.x ? it will be very useful. thanks for active work on this project.

Aug 08 '21 20:08 ghost

The iptable configuration will only be persistent, if you make the changes into set_interfaces and set_interfaces_2 as described above.

maybe you add in next release option to disable SSH from 192.168.42.x and 192.168.43.x ? it will be very useful. thanks for active work on this project.

Currently, you were the only one requesting a such feature. I will think about adding it as a permanent feature to TorBox if more people request it.

Aug 08 '21 20:08 radio24

i installed iptables-persistent , because for me it's easiest way to run sudo iptables -t nat -D PREROUTING 1 && netfilter-persistent save also, as i understand command iptables -t nat -D PREROUTING 1 work for both network interfaces?

Aug 08 '21 20:08 ghost

Yes, but every time you change something on the network configuration (main menu 5-10), the saved iptables rules will be overwritten.

Aug 08 '21 20:08 radio24

Connected with issue #84.

Aug 10 '21 01:08 radio24

I reopened the issue again, so that I don't forget to look into it with the next TorBox version.

Aug 10 '21 12:08 radio24