Results 1 to 7 of 7
  1. #1
    Join Date
    May 2002
    Location
    Spain
    Posts
    121

    Question iptables block ssh for certain ips and allow for others

    Hi i wish to know if with iptables i can block all the internet ips and allow a few ips to connect a machine by ssh.

    Anyone know if i can do that with iptables?.

    Thanks.

  2. #2
    Join Date
    Jul 2001
    Location
    Canada
    Posts
    1,284

    Framework

    Yes you can. This snippet should get you started:

    1) direct ssh related traffic to a new rule chain:

    iptables -A INPUT -i eth0 --dport 22 -j ssh-list

    2) create new rule chain and permit access to ip ###.###.###.###. Repeat line once for each permitted IP. If not IP let the fall through be dropped. Alternatively you can send a REJECT packet.

    iptables -N ssh-list

    iptables -A INPUT -i eth0 -s ###.###.###.### --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    iptables -A INPUT -i eth0 --dport 22 -j DROP
    "Obsolesence is just a lack of imagination."

  3. #3
    Join Date
    Feb 2004
    Posts
    772
    hai nightduke,

    There are a number of things you can block and lose almost no functionality. These things should be blocked unless you have a very good reason for not doing so.

    * The private address ranges going out to the Internet.

    * The loopback address range coming from anywhere except the loopback adapter.

    * Class D IP addresses (224.0.0.0 to 239.255.255.255) when used as a source address. They may be ok as destination addresses.

    * Class E IP addresses (240.0.0.0 to 247.255.255.255) when used as a source address. It's highly unlikely someone will be transmitting to these address, so it's probably a good idea to block them when used as a destination address.

    * Broadcast address unless you are using DHCP. The addresses are 0.0.0.0 for source and 255.255.255.255 for destination. Block these after you allow for DHCP.

    * Any packets coming from your network that don't have your network address as a source, unless you are doing routing, maybe.

    * If your firewall allows you to filter on arbitrary tcp flags (iptables does), drop any tcp packets that have either no flags set (null packets) or all the flags set (SYN,ACK,FIN,RST,URG,PSH - an Xmas packet).

    for more details plz check out this link....

    http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

    thanks
    Bright Info Solutions

  4. #4
    Join Date
    Jul 2004
    Location
    U.A.E >> Dubai
    Posts
    218
    Also you can use :

    /etc/hosts.allow & /etc/hosts.deny
    ٍSecurityWay.Net Managed Solutions
    Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
    http://domains.securityway.net/
    Believe an expert, believe on who has had experience.

  5. #5
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    Here's another way. From root:

    # route add -net xxx.xxx.xxx.0 netmask 255.255.255.0 reject

    I believe this command, though, only works under RedHat/Fedora distros. I used it before becoming a FreeBSD junkie.

  6. #6
    Join Date
    Jul 2001
    Location
    Canada
    Posts
    1,284
    In rereading it seems he wanted to drop all internet traffic except a few ips for ssh.

    In that case ...

    permit access to ip ###.###.###.###. Repeat line once for each permitted IP. If not IP let the fall through be dropped. Alternatively you can send a REJECT packet.

    iptables -A INPUT -i eth0 -s ###.###.###.### --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i eth0 -j DROP

    should permit ssh connections from the designated IP(s) to ssh and simply drop everything else.
    "Obsolesence is just a lack of imagination."

  7. #7
    If you're never going to be running anything but SSH, then go with what's already been posted here. However, if you are eventually planning on running other services accessable via the net, then you might want to consider using one of the firewall scripts that exist such as APF.
    Game control panels - control your game world your way. Server-Genie.com
    http://www.server-genie.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •