Hi Pascal, hi everybody,
Does this mean you wanted to reply to the list instead of me alone ?
iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP
If the goal is to prevent *incoming* SSH connections on eth0.
Outgoing would be *something like*
iptables -A OUTPUT -i eth0 --dport 22 -j DROP (connections from
the box to outerspace)
iptables -A OUTPUT -i eth0 --dport 22 -j DROP (from LAN to
outerspace if the box routes that)
In the second rule I think you meant FORWARD instead of OUTPUT.
ListenAddress 192.168.222.3
This alone is not enough to prevent connections on eth0. You can
connect to any host address on any interface. E.g. connect to eth1
address on eth0 interface and vice versa.
Well, if it's the common setup of eth0 <some "real" non-private ip)
and a private ip for eth1 it will work more or less as expected, as
packets won't find the route to 192.168.222.3 (to keep the example
IP), because it is just valid in private networks.
It won't work when the client is on the same network as eth0, or can
alter the routing to the server. Your assertion relies on a third
party's (the ISP) routing and on the assumption that only packets with
the public IP address can hit eth0. I wouldn't like my security to
rely on a third party. Would you ?
From my point of view the sshd_config solution is nicer in any case,
you should add some rules like the followin on a WAN-LAN router to
prevent (some) spoofed packets from entering - they will prevent the
connection here (if SSH is bound internally only):
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP (I haven't
verified this /12 mask, you should check the RFCs to be sure)
The /12 prefix length is correct.
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s <external IP> -j DROP
[These routes mean that packets with local adresses should not come
from outside and vice versa].
But these rules don't prevent connecting from a public source address
to the private IP address on the public interface.
You're right, of course - I thought of a firewall situation with NAT -
in that case I'd add
iptables -A INPUT -i eth0 -d 192.168.0.0/16 -j DROP.
That said, I really thought too much about a natted link - so I correct
myself and say:
I would not only do a packet filter block but also (which was the part
I forgot to say) change the listening address, to have kind of double
protection.
Baltasar
--
Baltasar Cevc
_____ former 03 gmbh
_____ infanteriestraße 19 haus 6 eg
_____ D-80797 muenchen
_____ http://www.former03.de