Results 1 to 7 of 7
-
06-01-2005, 08:55 AM #1WHT Addict
- Join Date
- May 2002
- Location
- Spain
- Posts
- 121
iptables block ssh for certain ips and allow for others
Hi i wish to know if with iptables i can block all the internet ips and allow a few ips to connect a machine by ssh.
Anyone know if i can do that with iptables?.
Thanks.
-
06-01-2005, 12:43 PM #2ThirtySx Bits Forever!
- Join Date
- Jul 2001
- Location
- Canada
- Posts
- 1,284
Framework
Yes you can. This snippet should get you started:
1) direct ssh related traffic to a new rule chain:
iptables -A INPUT -i eth0 --dport 22 -j ssh-list
2) create new rule chain and permit access to ip ###.###.###.###. Repeat line once for each permitted IP. If not IP let the fall through be dropped. Alternatively you can send a REJECT packet.
iptables -N ssh-list
iptables -A INPUT -i eth0 -s ###.###.###.### --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 --dport 22 -j DROP"Obsolesence is just a lack of imagination."
-
06-02-2005, 02:22 AM #3Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 772
hai nightduke,
There are a number of things you can block and lose almost no functionality. These things should be blocked unless you have a very good reason for not doing so.
* The private address ranges going out to the Internet.
* The loopback address range coming from anywhere except the loopback adapter.
* Class D IP addresses (224.0.0.0 to 239.255.255.255) when used as a source address. They may be ok as destination addresses.
* Class E IP addresses (240.0.0.0 to 247.255.255.255) when used as a source address. It's highly unlikely someone will be transmitting to these address, so it's probably a good idea to block them when used as a destination address.
* Broadcast address unless you are using DHCP. The addresses are 0.0.0.0 for source and 255.255.255.255 for destination. Block these after you allow for DHCP.
* Any packets coming from your network that don't have your network address as a source, unless you are doing routing, maybe.
* If your firewall allows you to filter on arbitrary tcp flags (iptables does), drop any tcp packets that have either no flags set (null packets) or all the flags set (SYN,ACK,FIN,RST,URG,PSH - an Xmas packet).
for more details plz check out this link....
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
thanksBright Info Solutions
-
06-02-2005, 02:38 AM #4Junior Guru
- Join Date
- Jul 2004
- Location
- U.A.E >> Dubai
- Posts
- 218
Also you can use :
/etc/hosts.allow & /etc/hosts.denyٍSecurityWay.Net Managed Solutions
Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
http://domains.securityway.net/
Believe an expert, believe on who has had experience.
-
06-02-2005, 12:53 PM #5Mostly Retired!
- Join Date
- Nov 2002
- Location
- Portland, Oregon
- Posts
- 2,992
Here's another way. From root:
# route add -net xxx.xxx.xxx.0 netmask 255.255.255.0 reject
I believe this command, though, only works under RedHat/Fedora distros. I used it before becoming a FreeBSD junkie.
-
06-02-2005, 08:17 PM #6ThirtySx Bits Forever!
- Join Date
- Jul 2001
- Location
- Canada
- Posts
- 1,284
In rereading it seems he wanted to drop all internet traffic except a few ips for ssh.
In that case ...
permit access to ip ###.###.###.###. Repeat line once for each permitted IP. If not IP let the fall through be dropped. Alternatively you can send a REJECT packet.
iptables -A INPUT -i eth0 -s ###.###.###.### --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
should permit ssh connections from the designated IP(s) to ssh and simply drop everything else."Obsolesence is just a lack of imagination."
-
06-03-2005, 01:41 PM #7Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
If you're never going to be running anything but SSH, then go with what's already been posted here. However, if you are eventually planning on running other services accessable via the net, then you might want to consider using one of the firewall scripts that exist such as APF.
Game control panels - control your game world your way. Server-Genie.com
http://www.server-genie.com