From 8d68ff1b67557539e85290114dc44fdeec6203bb Mon Sep 17 00:00:00 2001
From: Lars Wendler <polynomial-c@gmx.de>
Date: Fri, 27 Oct 2023 18:05:02 +0200
Subject: [PATCH] nft backend: Only block IPs for ssh destination port

---
 src/fw/sshg-fw-nft-sets.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/fw/sshg-fw-nft-sets.sh b/src/fw/sshg-fw-nft-sets.sh
index ea9e202..c371119 100644
--- a/src/fw/sshg-fw-nft-sets.sh
+++ b/src/fw/sshg-fw-nft-sets.sh
@@ -7,6 +7,7 @@ CMD_NFT=nft
 NFT_TABLE=sshguard
 NFT_CHAIN=blacklist
 NFT_SET=attackers
+DEST_PORT="tcp dport ssh"
 
 proto() {
     if [ "6" = "$1" ]; then
@@ -32,8 +33,8 @@ fw_init() {
     run_nft "add set" "${NFT_SET} { type ipv6_addr; flags interval; }" 6
 
     # Rule to drop sets' IP
-    run_nft "add rule" "${NFT_CHAIN} ip saddr @${NFT_SET} drop" 4
-    run_nft "add rule" "${NFT_CHAIN} ip6 saddr @${NFT_SET} drop" 6
+    run_nft "add rule" "${NFT_CHAIN} ip saddr @${NFT_SET} ${DEST_PORT} drop" 4
+    run_nft "add rule" "${NFT_CHAIN} ip6 saddr @${NFT_SET} ${DEST_PORT} drop" 6
 }
 
 fw_block() {
-- 
2.42.0