Hi All My iptables rules was proper. I found the reason why it was not working. IP configured for both eth0 and eth1 are from same subnet. If I configure the IP from different subnet then ssh is getting blocked on eth1 interface. Anyone have any idea if there is any internal routing of packets happens from eth0 to eth1 when we configure both the interface for same subnet IP ? Thanks Ganesh -----Original Message----- From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Mauricio Tavares Sent: Wednesday, October 05, 2011 5:59 PM To: Netfilter Subject: Re: How to block ssh on specific ethernet interface On Wed, Oct 5, 2011 at 8:08 AM, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote: > > > On 10/4/11 10:24 PM, "Netravali Ganesh" <gnetravali@xxxxxxxxxxxx> wrote: > >>Hi.. >> >>I have multiple Ethernet interface on the system. I need to enable the >>ssh on eth0 and block the ssh on all the other interfaces. Below is the >>iptables rules I am using. This is not working form pls lls let me know >>what is wrong. I am using RHEL6.1 system. >> >> [root@localhost ~]# iptables -A INPUT -i eth1 -p tcp -m tcp --dport 22 >>-j DROP >> [root@localhost ~]# iptables -L -v -n >>Chain INPUT (policy ACCEPT 40 packets, 5240 bytes) >> pkts bytes target prot opt in out source >>destination >> 0 0 DROP tcp -- eth1 * 0.0.0.0/0 >>0.0.0.0/0 tcp dpt:22 >> >>Thanks >>Ganesh >> >>-- >>To unsubscribe from this list: send the line "unsubscribe netfilter" in >>the body of a message to majordomo@xxxxxxxxxxxxxxx >>More majordomo info at http://vger.kernel.org/majordomo-info.html > > > Why not just have sshd only listen to the interface you want? From > sshd_config: > > #Use these options to restrict which interfaces/protocols sshd will bind to > ListenAddress :: > ListenAddress 0.0.0.0 > > James > While I think that is a really clever solution, I believe the OP is also doing this as an exercise to further understand iptables. Hence the fact he asked in this list. That said, here is a bit of a tangent question: which one is more efficient/uses less resources: blocking at the iptables lever or past it, at the sshd level? And would both approaches show port 22 on eth1 as closed? > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
