if ssh listens only on 192.168.229.131 at port 22 these rules are equivalent. otherwise some user from another network (on another nic) can connect. Another nuance is possibility of ip/arp spoofing - you can get 192.168.229.131 from eth1. 2011/6/20 Adishesh M <adisheshsm@xxxxxxxxx>: > Hi, > > Is it mandatory (or recommended) to use interface as option to enable > a particular port using iptables filter table. > > If we don’t use interface name while forming a rule, then are we > compromising anything with respect to security? > > > For example > > We have two interfaces eth0 and eth1 with ip address as given below. > We want to enable ssh service on eth1 and some other service on eth2. > For this we are using below rules > > Option 1: > iptables –P INPUT DROP > iptables -A INPUT -i eth0 -d 192.168.229.131 –p tcp --dport 22 -j ACCEPT > iptables -A INPUT -i eth1 -d 192.168.124.135 -p udp --dport 5060 -j ACCEPT > iptables –A INPUT –J DROP > > Option 2: > Iptables –P INPUT DROP > Iptables –A INPUT –p tcp --dport 22 -j ACCEPT > Iptables –A INPUT -d 192.168.124.135 -p udp --dport 5060 -j ACCEPT > Iptables –A INPUT –J DROP > > In the above examples, which is more secure option? > > > > > [root@adim ~]# ip addr list > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UNKNOWN qlen 1000 > link/ether 00:0c:29:53:6a:e0 brd ff:ff:ff:ff:ff:ff > inet 192.168.229.131/24 brd 192.168.229.255 scope global eth0 > inet6 fe80::20c:29ff:fe53:6ae0/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UNKNOWN qlen 1000 > link/ether 00:0c:29:53:6a:f4 brd ff:ff:ff:ff:ff:ff > inet 192.168.124.135/24 brd 192.168.124.255 scope global eth1 > inet6 fe80::20c:29ff:fe53:6af4/64 scope link > valid_lft forever preferred_lft forever > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
