iptables

owbr4dh02 · 01-21-2007, 12:14 AM

Hi All,

How can I

1. restrict port 22 traffic to the x.x.x.x interface to only allow incoming traffic from x.x.x.0/25

2. allow all incoming port 22 traffic to the y.y.y.y interface

Thanks for any help.

Simon Bridge · 01-21-2007, 12:35 AM

assuming a default drop policy

1. you want ssh connection from your machine to be allowed, but only from a particular net? I think that's something like:
iptables -A INPUT -p tcp -i eth1 -s x.x.x.0\24 -j ACCEPT -dport 22

2. so similarily:
iptables -A INPUT -p tcp -i eth0 -j ACCEPT -dport 22

if eth1 is x.x.x.x and eth0 is y.y.y.y

fotoguy · 01-21-2007, 11:37 PM

Quote:

Originally Posted by owbr4dh02

Hi All,

2. allow all incoming port 22 traffic to the y.y.y.y interface

Thanks for any help.

In the configuration file for the ssh server /etc/ssh/sshd.config you can set the ssh server to only listen on the ipaddress of the interface you specify, it will then refuse connection on any other interface. For example if you ssh server runs and ipaddress of 192.168.1.1 you would have something like this:

Code:

ListenAddress 192.168.1.1

owbr4dh02 · 01-22-2007, 10:53 PM

Hi Simon Bridge, fotoguy !

Thank you very much for your help!

fotoguy · 01-23-2007, 04:07 AM

Quote:

Originally Posted by owbr4dh02

Hi Simon Bridge, fotoguy !

Thank you very much for your help!

Glad to help out, if you would like to make it even more secure you can change the default port that ssh listens on to a completely different port. In the /etc/ssh/sshd.config you will see the #Port 22, just remove the hash symbol (uncomment), change the port to anything eg. Port 6893 then restart the ssh server and it will now listen to port 6893 for connectiosn.

win32sux · 01-23-2007, 10:14 AM

Quote:

Originally Posted by fotoguy

Glad to help out, if you would like to make it even more secure you can change the default port that ssh listens on to a completely different port. In the /etc/ssh/sshd.config you will see the #Port 22, just remove the hash symbol (uncomment), change the port to anything eg. Port 6893 then restart the ssh server and it will now listen to port 6893 for connectiosn.

hi, i don't mean to nit-pick, but i just wanted to comment that, technically speaking, changing the port ssh listens on has absolutely no effect as far as security is concerned... obscurity doesn't give more security...

but yes, having it listen on another port does have its benefits, such as making an ssh daemon less prone to getting picked-up by spiders, etc... but that's not in any way shape or form an increase in the security level...

fotoguy · 01-23-2007, 09:55 PM

Quote:

Originally Posted by win32sux

hi, i don't mean to nit-pick, but i just wanted to comment that, technically speaking, changing the port ssh listens on has absolutely no effect as far as security is concerned... obscurity doesn't give more security...

but yes, having it listen on another port does have its benefits, such as making an ssh daemon less prone to getting picked-up by spiders, etc... but that's not in any way shape or form an increase in the security level...

Yes that is true, I should have said that it will help to minimise the threats from automated programs/scripts which target port 22 by default.

Simon Bridge · 01-25-2007, 04:58 AM

Quote:

Thank you very much for your help!

Glad to be of assistance (as the door said to Zaphod Beeblebrox)... so did this actually work?

Sertys · 02-04-2007, 12:44 AM

It ain't working, just because "-t" stands for "table".

so the rules gotta be :
iptables -P INPUT DROP
#default policy of the chain
iptables -A INPUT -p tcp --dport 22 -i eth1 -s x.x.x.x -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
#any other allowed ports go below(may use multiport..)
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

Simon Bridge · 02-04-2007, 05:46 PM

I'm sorry, that should be -p (protocol). I'll edit the previous post so folk don't get confused.