Re: How to block ssh on specific ethernet interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quoting Mauricio Tavares <raubvogel@xxxxxxxxx>:


On Wed, Oct 5, 2011 at 12:24 AM, Netravali Ganesh
<gnetravali@xxxxxxxxxxxx> wrote:

Hi..
I have multiple Ethernet  interface on the system. I need to enable the ssh on eth0 and block the ssh on all the other interfaces. Below is the iptables rules I am using. This is not working form pls lls let me know what is wrong. I am using RHEL6.1 system.
 [root@localhost ~]# iptables -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j DROP 
 [root@localhost ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 40 packets, 5240 bytes)
 pkts bytes target     prot opt in     out     source               destination     0     0 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 


      I do not know what are your other rules, but I tend to have my
iptables blocking everything by default and only opening the ports I
need. Something like

iptables -P INPUT  DROP -m comment --comment "drop everything"
[...]
iptables -A SERVICES  -i eth0 -p tcp -m tcp --dport 22 -m comment
--comment "allow ssh into machine, from eth0" -j ACCEPT
--


Your way is another way of doing it, but isn't Ganesh's rule wrong?
The man page says that you can specify the protocol with *-p* or with the match option *-m* so essentially that would be incorrect? I have not had a chance to try it, but reading the man page I think that needs to be addressed? I am new so this would be a learning opportunity for me. 

MATCH EXTENSIONS
iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module. 

Cheers-
David



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux