Thanks all, for the detailed discussion. Varun On Sun, 2006-07-30 at 19:17 +0200, former03 | Baltasar Cevc wrote: > Hi Pascal, hi everybody, > > > Does this mean you wanted to reply to the list instead of me alone ? > > > >>>>> iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP > >>> > >>> If the goal is to prevent *incoming* SSH connections on eth0. > >> Outgoing would be *something like* > >> iptables -A OUTPUT -i eth0 --dport 22 -j DROP (connections from > >> the box to outerspace) > >> iptables -A OUTPUT -i eth0 --dport 22 -j DROP (from LAN to > >> outerspace if the box routes that) > > > > In the second rule I think you meant FORWARD instead of OUTPUT. > > > >>>> ListenAddress 192.168.222.3 > >>> > >>> This alone is not enough to prevent connections on eth0. You can > >>> connect to any host address on any interface. E.g. connect to eth1 > >>> address on eth0 interface and vice versa. > >> Well, if it's the common setup of eth0 <some "real" non-private ip) > >> and a private ip for eth1 it will work more or less as expected, as > >> packets won't find the route to 192.168.222.3 (to keep the example > >> IP), because it is just valid in private networks. > > > > It won't work when the client is on the same network as eth0, or can > > alter the routing to the server. Your assertion relies on a third > > party's (the ISP) routing and on the assumption that only packets with > > the public IP address can hit eth0. I wouldn't like my security to > > rely on a third party. Would you ? > > > >> From my point of view the sshd_config solution is nicer in any case, > >> you should add some rules like the followin on a WAN-LAN router to > >> prevent (some) spoofed packets from entering - they will prevent the > >> connection here (if SSH is bound internally only): > >> iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP > >> iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP (I haven't > >> verified this /12 mask, you should check the RFCs to be sure) > > > > The /12 prefix length is correct. > > > >> iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP > >> iptables -A INPUT -i eth1 -s <external IP> -j DROP > >> [These routes mean that packets with local adresses should not come > >> from outside and vice versa]. > > > > But these rules don't prevent connecting from a public source address > > to the private IP address on the public interface. > You're right, of course - I thought of a firewall situation with NAT - > in that case I'd add > iptables -A INPUT -i eth0 -d 192.168.0.0/16 -j DROP. > > That said, I really thought too much about a natted link - so I correct > myself and say: > I would not only do a packet filter block but also (which was the part > I forgot to say) change the listening address, to have kind of double > protection. > > Baltasar > > -- > Baltasar Cevc > > _____ former 03 gmbh > _____ infanteriestraße 19 haus 6 eg > _____ D-80797 muenchen > > _____ http://www.former03.de > > >
