On Wed, Oct 5, 2011 at 8:08 AM, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote: > > > On 10/4/11 10:24 PM, "Netravali Ganesh" <gnetravali@xxxxxxxxxxxx> wrote: > >>Hi.. >> >>I have multiple Ethernet interface on the system. I need to enable the >>ssh on eth0 and block the ssh on all the other interfaces. Below is the >>iptables rules I am using. This is not working form pls lls let me know >>what is wrong. I am using RHEL6.1 system. >> >> [root@localhost ~]# iptables -A INPUT -i eth1 -p tcp -m tcp --dport 22 >>-j DROP >> [root@localhost ~]# iptables -L -v -n >>Chain INPUT (policy ACCEPT 40 packets, 5240 bytes) >> pkts bytes target prot opt in out source >>destination >> 0 0 DROP tcp -- eth1 * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:22 >> >>Thanks >>Ganesh >> >>-- >>To unsubscribe from this list: send the line "unsubscribe netfilter" in >>the body of a message to majordomo@xxxxxxxxxxxxxxx >>More majordomo info at http://vger.kernel.org/majordomo-info.html > > > Why not just have sshd only listen to the interface you want? From > sshd_config: > > #Use these options to restrict which interfaces/protocols sshd will bind to > ListenAddress :: > ListenAddress 0.0.0.0 > > James > While I think that is a really clever solution, I believe the OP is also doing this as an exercise to further understand iptables. Hence the fact he asked in this list. That said, here is a bit of a tangent question: which one is more efficient/uses less resources: blocking at the iptables lever or past it, at the sshd level? And would both approaches show port 22 on eth1 as closed? > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
