RE: How to block ssh on specific ethernet interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I was going through the documentations and trying apply the rules. I am allowing all the packets on all the interface as part of default rule then blocking the ssh on eth1. This doesn't seems to be working.

Thanks
Ganesh 

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of David Alanis
Sent: Wednesday, October 05, 2011 10:40 AM
To: netfilter@xxxxxxxxxxxxxxx
Subject: Re: How to block ssh on specific ethernet interface

Quoting Mauricio Tavares <raubvogel@xxxxxxxxx>:

> On Wed, Oct 5, 2011 at 12:24 AM, Netravali Ganesh
> <gnetravali@xxxxxxxxxxxx> wrote:
>> Hi..
>>
>> I have multiple Ethernet  interface on the system. I need to enable  
>> the ssh on eth0 and block the ssh on all the other interfaces.  
>> Below is the iptables rules I am using. This is not working form  
>> pls lls let me know what is wrong. I am using RHEL6.1 system.
>>
>>  [root@localhost ~]# iptables -A INPUT -i eth1 -p tcp -m tcp  
>> --dport 22 -j DROP
>>  [root@localhost ~]# iptables -L -v -n
>> Chain INPUT (policy ACCEPT 40 packets, 5240 bytes)
>>  pkts bytes target     prot opt in     out     source                
>> destination
>>     0     0 DROP       tcp  --  eth1   *       0.0.0.0/0             
>> 0.0.0.0/0           tcp dpt:22
>>
>       I do not know what are your other rules, but I tend to have my
> iptables blocking everything by default and only opening the ports I
> need. Something like
>
> iptables -P INPUT  DROP -m comment --comment "drop everything"
> [...]
> iptables -A SERVICES  -i eth0 -p tcp -m tcp --dport 22 -m comment
> --comment "allow ssh into machine, from eth0" -j ACCEPT
> --

Your way is another way of doing it, but isn't Ganesh's rule wrong?

The man page says that you can specify the protocol with *-p* or with  
the match option *-m* so essentially that would be incorrect? I have  
not had a chance to try it, but reading the man page I think that  
needs to be addressed? I am new so this would be a learning  
opportunity for me.

MATCH EXTENSIONS
iptables can use extended packet matching modules.  These are loaded  
in two ways: implicitly, when -p or --protocol is specified, or  with   
the  -m  or  --match options,  followed  by  the  matching  module  
name; after these, various extra command line options become  
available, depending on the specific module. You can specify multiple  
extended match modules in one line, and you can use the -h or --help  
options after the module has been specified to receive  help  specific  
to that module.

Cheers-
David



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux