I was going through the documentations and trying apply the rules. I am allowing all the packets on all the interface as part of default rule then blocking the ssh on eth1. This doesn't seems to be working. Thanks Ganesh -----Original Message----- From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of David Alanis Sent: Wednesday, October 05, 2011 10:40 AM To: netfilter@xxxxxxxxxxxxxxx Subject: Re: How to block ssh on specific ethernet interface Quoting Mauricio Tavares <raubvogel@xxxxxxxxx>: > On Wed, Oct 5, 2011 at 12:24 AM, Netravali Ganesh > <gnetravali@xxxxxxxxxxxx> wrote: >> Hi.. >> >> I have multiple Ethernet interface on the system. I need to enable >> the ssh on eth0 and block the ssh on all the other interfaces. >> Below is the iptables rules I am using. This is not working form >> pls lls let me know what is wrong. I am using RHEL6.1 system. >> >> [root@localhost ~]# iptables -A INPUT -i eth1 -p tcp -m tcp >> --dport 22 -j DROP >> [root@localhost ~]# iptables -L -v -n >> Chain INPUT (policy ACCEPT 40 packets, 5240 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 DROP tcp -- eth1 * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:22 >> > I do not know what are your other rules, but I tend to have my > iptables blocking everything by default and only opening the ports I > need. Something like > > iptables -P INPUT DROP -m comment --comment "drop everything" > [...] > iptables -A SERVICES -i eth0 -p tcp -m tcp --dport 22 -m comment > --comment "allow ssh into machine, from eth0" -j ACCEPT > -- Your way is another way of doing it, but isn't Ganesh's rule wrong? The man page says that you can specify the protocol with *-p* or with the match option *-m* so essentially that would be incorrect? I have not had a chance to try it, but reading the man page I think that needs to be addressed? I am new so this would be a learning opportunity for me. MATCH EXTENSIONS iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module. Cheers- David ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html