Re: iptables allow ssh from network segment

From: Dances With Crows <danSPANceswitTRAPhcrows@xxxxxxxxx>
Date: Tue, 21 Mar 2006 18:06:29 -0600

On Tue, 21 Mar 2006 23:33:47 GMT, johnny bobby bee staggered into the
Black Sun and said:

what's the proper way to only allow ssh in iptables from a particular
network segment? for instance from addresses only in my ISP network
segment. (154.20.x.x)?

iptables -A INPUT -p tcp -s 154.20.0.0/16 -d A.B.C.D --dport 22 -j
ACCEPT

....replace A.B.C.D with your IP, natch, fix the /16 if the mask is
different.

what's regarded as more secure; allowing access via MAC address or
local network address?
iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
or
iptables -A INPUT -s 192.168.2.0/255.255.255.0 -j ACCEPT

MAC addrs can be switched easily by anyone who knows what they're doing.
I suppose you could do a hybrid approach. Have your stationary
gateway/firewall running dhcpd, configure it to hand out one set of IPs
to known MAC addrs, another set to unknown ones, have different iptables
rulesets for each set of IPs. This assumes wired, though. There are
additional complications with 802.11n that I'm not really qualified to
talk about yet.

concerned about spoofing either.

What were you trying to say here? It missing words. Anyway, HTH,

--
Matt G|There is no Darkness in Eternity/But only Light too dim for us to see
Brainbench MVP for Linux Admin / mail: TRAP + SPAN don't belong
http://www.brainbench.com / "He is a rhythmic movement of the
-----------------------------/ penguins, is Tux." --MegaHAL
.

Follow-Ups:
- Re: iptables allow ssh from network segment
  - From: johnny bobby bee
- Re: iptables allow ssh from network segment
  - From: johnny bobby bee

References:
- iptables allow ssh from network segment
  - From: johnny bobby bee

Prev by Date: Re: External usb 2 hard drives cases
Next by Date: A new reader? Welcome to comp.os.linux.misc, read this first if you're new here (FAQ)
Previous by thread: iptables allow ssh from network segment
Next by thread: Re: iptables allow ssh from network segment
Index(es):
- Date
- Thread

Relevant Pages

Re: Why wont MS and some other sites load on Vista and W2K?
... get a laptop that works, and put it on that network segment. ... WRWynn wrote: ... All Windows 2000 (3 machines) and 2 Vista machines have this trouble. ...
(microsoft.public.windows.server.general)
Re: Seeking XP/Web network discovery & monitoring tool
... >monitoring tool that does the following: ... >1) identifies computers on the same network segment by IP address, ...
(microsoft.public.windowsxp.network_web)
Re: Connecting different network segment
... Are these all on the same subnet? ... I have a similar network setup. ... I would be able to ping any of the PC in this network segment. ...
(microsoft.public.windows.server.networking)
Multihomed W2K DHCP server to Single nic
... We currently have a multihomed dhcp server (running DNS and WINS on it ... as well) iwith three network cards. ... Each card is sitting on a network segment. ...
(microsoft.public.win2000.networking)
Re: IPS, alternative solutions
... I have the impression that some of the alternatives to IPS you mentioned ... Parts of the market have matured (network ... implementations (in-line protocol decoding and blocking/active response ... an often deployed technology at this time is ...
(Focus-IDS)