Re: [SOLVED] iptables rule question for Centos 5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Marvin,

You're leaving SSH open to the world with that.
If this is a box behind a firewall, then it's not _as much of a
concern_ ... otherwise you're opening that server up to ssh brute
force attempts.

Your existing configuration is probably set up to drop/reject if
traffic does not match any of your rules, so you've nearly solved the
"blocking all other traffic" from server2.  But you really should put
a specific rule on server1 with source as server2 and dest port 22
being accepted.

-s server2 -p tcp --dport 22 -j ACCEPT

Best of luck,
---~~.~~---
Mike
//  SilverTip257  //


On Fri, Aug 3, 2012 at 4:25 PM, Blackburn, Marvin
<mblackburn@xxxxxxxxxxxxx> wrote:
> We have a simple configuration so we could get by with this
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -s "SOURCIPADDRESS"  -j REJECT --reject-with
> icmp-host-prohibited
>
> it doesn't scale well but servies the purpose.
>
>
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
> -----Original Message-----
> From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On
> Behalf Of Steve Clark
> Sent: Thursday, August 02, 2012 1:17 PM
> To: CentOS mailing list
> Cc: Blackburn, Marvin
> Subject: Re:  iptables rule question for Centos 5
>
> On 08/02/2012 01:06 PM, Blackburn, Marvin wrote:
>> I have a server that allows incoming traffic for ssh and some other
>> things.
>>
>> I need to set up a rule that will drop/reject all traffic from a
>> particular server except ssh.
>>
>> How can I do that.
>>
>>
>>
>>
>>
>> _____________________________________
>> "He's no failure. He's not dead yet."
>> William Lloyd George
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> http://lists.centos.org/mailman/listinfo/centos
>>
> Something like this first in your ruleset:
> -A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d
> 10.0.1.90/32 ! --dport 22 -j DROP
>
> substitute your appropriate ips and interface
>
>
> --
> Stephen Clark
> *NetWolves*
> Director of Technology
> Phone: 813-579-3200
> Fax: 813-882-0209
> Email: steve.clark@xxxxxxxxxxxxx
> http://www.netwolves.com
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux