Marvin, You're leaving SSH open to the world with that. If this is a box behind a firewall, then it's not _as much of a concern_ ... otherwise you're opening that server up to ssh brute force attempts. Your existing configuration is probably set up to drop/reject if traffic does not match any of your rules, so you've nearly solved the "blocking all other traffic" from server2. But you really should put a specific rule on server1 with source as server2 and dest port 22 being accepted. -s server2 -p tcp --dport 22 -j ACCEPT Best of luck, ---~~.~~--- Mike // SilverTip257 // On Fri, Aug 3, 2012 at 4:25 PM, Blackburn, Marvin <mblackburn@xxxxxxxxxxxxx> wrote: > We have a simple configuration so we could get by with this > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j > ACCEPT > -A RH-Firewall-1-INPUT -s "SOURCIPADDRESS" -j REJECT --reject-with > icmp-host-prohibited > > it doesn't scale well but servies the purpose. > > > > _____________________________________ > "He's no failure. He's not dead yet." > William Lloyd George > > > -----Original Message----- > From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On > Behalf Of Steve Clark > Sent: Thursday, August 02, 2012 1:17 PM > To: CentOS mailing list > Cc: Blackburn, Marvin > Subject: Re: iptables rule question for Centos 5 > > On 08/02/2012 01:06 PM, Blackburn, Marvin wrote: >> I have a server that allows incoming traffic for ssh and some other >> things. >> >> I need to set up a rule that will drop/reject all traffic from a >> particular server except ssh. >> >> How can I do that. >> >> >> >> >> >> _____________________________________ >> "He's no failure. He's not dead yet." >> William Lloyd George >> >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS@xxxxxxxxxx >> http://lists.centos.org/mailman/listinfo/centos >> > Something like this first in your ruleset: > -A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d > 10.0.1.90/32 ! --dport 22 -j DROP > > substitute your appropriate ips and interface > > > -- > Stephen Clark > *NetWolves* > Director of Technology > Phone: 813-579-3200 > Fax: 813-882-0209 > Email: steve.clark@xxxxxxxxxxxxx > http://www.netwolves.com > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos