Re: no ssh on eth0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Pascal, hi everybody,


Does this mean you wanted to reply to the list instead of me alone ?


iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP


If the goal is to prevent *incoming* SSH connections on eth0.

Outgoing would be *something like*
iptables -A OUTPUT -i eth0 --dport 22 -j DROP (connections from the box to outerspace) iptables -A OUTPUT -i eth0 --dport 22 -j DROP (from LAN to outerspace if the box routes that) 

In the second rule I think you meant FORWARD instead of OUTPUT.


    ListenAddress 192.168.222.3
This alone is not enough to prevent connections on eth0. You can connect to any host address on any interface. E.g. connect to eth1 address on eth0 interface and vice versa.
Well, if it's the common setup of eth0 <some "real" non-private ip) and a private ip for eth1 it will work more or less as expected, as packets won't find the route to 192.168.222.3 (to keep the example IP), because it is just valid in private networks.
It won't work when the client is on the same network as eth0, or can alter the routing to the server. Your assertion relies on a third party's (the ISP) routing and on the assumption that only packets with the public IP address can hit eth0. I wouldn't like my security to rely on a third party. Would you ?
From my point of view the sshd_config solution is nicer in any case, you should add some rules like the followin on a WAN-LAN router to prevent (some) spoofed packets from entering - they will prevent the connection here (if SSH is bound internally only): 
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP (I haven't verified this /12 mask, you should check the RFCs to be sure) 

The /12 prefix length is correct.


iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s <external IP> -j DROP
[These routes mean that packets with local adresses should not come from outside and vice versa].
But these rules don't prevent connecting from a public source address to the private IP address on the public interface.
You're right, of course - I thought of a firewall situation with NAT - in that case I'd add 
iptables -A INPUT -i eth0 -d 192.168.0.0/16 -j DROP.
That said, I really thought too much about a natted link - so I correct myself and say: I would not only do a packet filter block but also (which was the part I forgot to say) change the listening address, to have kind of double protection. 

Baltasar

--
Baltasar Cevc

_____ former 03 gmbh
_____ infanteriestraße 19 haus 6 eg
_____ D-80797 muenchen

_____ http://www.former03.de
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux