I had a lot of false login requests on a Windows RDP server, and I mean A LOT!
So, I made something I'd like to share with all Domoticz users. How to use Domoticz to enable or disable access to that RDP server.
First I had to re-route the external address (port-forwarding in a Ziggo modem/firewall in my case) to the internal address from the RDP server to the Raspberry. So, the Raspberry will forward the RDP traffic (or not!) to the RDP server.
Remark: I run Domoticz on a Raspberry Pi 4 with the iptables firewall already installed and active. ??? google is your best friend!
A bin/bash script is needed to add or remove a few lines to the iptables (the rasbian firewall).
This is the script:
Code: Select all
#!/bin/bash
IPTBL=/sbin/iptables
IF_IN=eth0
PORT_IN=3389
IP_OUT=192.168.178.50
PORT_OUT=3389
$IPTBL -D PREROUTING -t nat -i $IF_IN -p tcp --dport $PORT_IN -j DNAT --to-destination ${IP_OUT}:${PORT_OUT}
$IPTBL -D FORWARD -p tcp -d $IP_OUT --dport $PORT_OUT -j ACCEPT
$IPTBL -D POSTROUTING -t nat -j MASQUERADE
if [[ "$1" == "ON" ]]; then
$IPTBL -A PREROUTING -t nat -i $IF_IN -p tcp --dport $PORT_IN -j DNAT --to-destination ${IP_OUT}:${PORT_OUT}
$IPTBL -A FORWARD -p tcp -d $IP_OUT --dport $PORT_OUT -j ACCEPT
$IPTBL -A POSTROUTING -t nat -j MASQUERADE
fi
In Domoticz:
Create hardware dummy
Add virtual sensor of type Switch
Open the switch properties and fill in the script "on" and "off" lines, like this:
script:///home/pi/scripts/setrdp.sh "ON"
script:///home/pi/scripts/setrdp.sh "OFF"
This is how it looks like:
At the end it looks simple but it took me a while to figure it out
Now, when I want to use the RDP I can enable it, and disable it when I am done!
Remark: I can disable it after the RDP connection is made. The firewall keeps my connection alive until I disconnect. So, very little up-time is needed.
If you have an FTP server or any other port you want to protect from the outside, you can do the same thing for that specific port.
Hopefully this is useful to others also.
