Hi,
Is it mandatory (or recommended) to use interface as option to enable
a particular port using iptables filter table.
If we don’t use interface name while forming a rule, then are we
compromising anything with respect to security?
For example
We have two interfaces eth0 and eth1 with ip address as given below.
We want to enable ssh service on eth1 and some other service on eth2.
For this we are using below rules
Option 1:
iptables –P INPUT DROP
iptables -A INPUT -i eth0 -d 192.168.229.131 –p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -d 192.168.124.135 -p udp --dport 5060 -j ACCEPT
iptables –A INPUT –J DROP
Option 2:
Iptables –P INPUT DROP
Iptables –A INPUT –p tcp --dport 22 -j ACCEPT
Iptables –A INPUT -d 192.168.124.135 -p udp --dport 5060 -j ACCEPT
Iptables –A INPUT –J DROP
In the above examples, which is more secure option?
[root@adim ~]# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 00:0c:29:53:6a:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.229.131/24 brd 192.168.229.255 scope global eth0
inet6 fe80::20c:29ff:fe53:6ae0/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 00:0c:29:53:6a:f4 brd ff:ff:ff:ff:ff:ff
inet 192.168.124.135/24 brd 192.168.124.255 scope global eth1
inet6 fe80::20c:29ff:fe53:6af4/64 scope link
valid_lft forever preferred_lft forever
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
