...
The tilde (~) indicates a continuation to the next row. The seconds (120) and hitcount (4) can be adjusted as needed.
#
...
The
...
following
...
lines
...
block
...
SSH
...
attempts
...
after
...
3
...
tries,
...
for
...
2
...
minutes
...
iptables
...
-A
...
INPUT
...
-p
...
tcp
...
--dport
...
22
...
-m
...
state
...
--state
...
NEW
...
-m
...
recent
...
--set
...
~
--name
...
SSH
...
iptables
...
-A
...
INPUT
...
-p
...
tcp
...
--dport
...
22
...
-m
...
state
...
--state
...
NEW
...
-m
...
recent
...
--update
...
~
--seconds
...
120
...
--hitcount
...
4
...
--rttl
...
--name
...
SSH
...
-j
...
DROP
...
#
...
NOTE:
...
Do
...
NOT
...
add
...
ppp0
...
(port
...
22)
...
into
...
Port
...
Management,
...
only
...
do
...
it
...
here
...
iptables
...
-A
...
INPUT
...
-p
...
tcp
...
-i
...
ppp0
...
--dport
...
22
...
-j
...
ACCEPT
...
In addition, the Firewall "INPUT Policy" should be set to "Drop All Input Packets," and the "Port Management" section of the Firewall configuration should not include an "ACCEPT Packet" rule for port 22 on the public network.
Instead, the last line (above) in Custom IPTABLES should be used for allowing access to ACCEPT port 22 over the cellular (ppp0) and/or Ethernet (eth0, eth1, etc.)) interface. This line (or lines, for multiple interfaces) must come after the previous preceding lines that check whether to block repeated failed SSH login attempts.
...
Another option is to block all access to port 22 access on the public ppp0 interface using the Port Management section of the firewall Firewall object in your ACE configuration:
...
In the configuration above, port 22 access is blocked over the public cell cellular network (ppp0), but allowed over the tun0 VPN connection
(tun0).