Access list using nftable vyos 1.3.x

Hello guys,

Please I’m trying to implement an access list using the NFTable in Vyos to block SSH and allow only some specified IP addresses to access SSH.

PS: The use of NFTable would be highly welcomed

have you tried

set service ssh dynamic-protection

I’m currently running the 1.3 LTS version and it has provision using the set service ssh acces-list command to add a group of network to be allowed or denied

The issue I’m also having is how do I create a group and add IP addresses to the group so I can call the group name when I’m running the set service ssh acces-list command.

“dynamic-protection” (sshguard) did not exist in Equuleus. It was only added in Sagitta.

It will be available in the next LTS release ⚓ T5354 Add sshguard to protect against brut-forces for 1.3

But the original request could be solved with static address groups.
I don’t get goal to use native nft format :slight_smile:


Please how do I configure static address group

Never heard of set service ssh access-list. There’s set service ssh access-control which is used to set the users that are allowed to use the service. As @Viacheslav stated, to filter by IP, you’ll need to set a firewall rule for incoming SSH traffic. See Firewall — VyOS 1.3.x (equuleus) documentation. There are multiple examples and a pretty clear explanation on how to setup an address group, create a ruleset based on a group, and apply it to an interface.

For some weir reason, using the filter rule wasn’t working. I’ve exhausted all option using the filter rule.

Hence I want to use the ssh access-control adding a group of allowed IPs.

I would appreciate if you can assist me with how to add group for access-control in ssh

Please read my response above. access-control is for users not IP’s. Your only solution is a firewall rule. Please RTFM. If you have a specific issue with setting up a firewall rule, post the specific issue and folks here will be happy to assist, but you need to post what you did that didn’t work.

Thanks @Netboy3, I’ll proceed as advised.