Re: How to permit selective SSH access?

From: Jean-David Beyer (jdbeyer_at_exit109.com)
Date: 06/04/04

Next message: Lars: "HWADDR needed in ifcfg-ethX?"

Previous message: Chris: "Re: Alternatives to MS Office Opinions?"
In reply to: Reply-Via-Newsgroup Thanks: "Re: How to permit selective SSH access?"
Next in thread: Jem Berkes: "Re: How to permit selective SSH access?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 04 Jun 2004 08:09:49 -0400

Reply-Via-Newsgroup Thanks wrote:
> Jean-David Beyer wrote:
>
>> I do it with iptables.
>>
>> I have iptables set up to deny access from anyone to anything.
>>
>> Then I selectively allow those IP addresses I care about to connect to
>> those ports I want.
>>
>> So for ssh, I have entries like:
>>
>> # For sshd daemon.
>> for sip in $[list of good guys for ssh]; do
>> $IPT -A IN_FIREWALL -p tcp -m state --state NEW \
>> -s $sip --dport ssh -j ACCEPT
>> done
>>
>>
>
> Yep - I like this too - I'll play on my devbox first before trying it on
> one of our remote boxes...
>
> Much appreciated... though since our servers sit behind a secondary
> (hardware based) firewall, I don't have iptables enabled and had hoped
> instead to depend on ssh configuration on an out of the box ret hat 9
> installation...
>
> I'll play with both, but I have to admit, I do like the iptables example
> you have above...
>
> Can I just confirm, $IPT is the full path name to iptables, true?
>
Yes. But you better know some more:

##########################################################################
# #
# INITIALIZATION #
# #
##########################################################################

IPT=/sbin/iptables
if [ ! -x $IPT ]; then
echo "firewall: can't execute \$IPTABLES"
exit 1
fi

##########################################################################
# #
# Clear the existing firewall rules #
# #
##########################################################################
# #
$IPT -P INPUT DROP # Set default policy to DROP
$IPT -P OUTPUT DROP # Set default policy to DROP
$IPT -P FORWARD DROP # Set default policy to DROP
$IPT -F # Flush all chains
$IPT -X # Delete all userchains
# #
for table in filter nat mangle; do
     $IPT -t $table -F # Delete the table's rules
     $IPT -t $table -X # Delete the table's chains
     $IPT -t $table -Z # Zero the table's counters
done
# #
###########################################################################

##########################################################################
# #
# Main Firewall Rules #
#
##########################################################################
#
# The explicit drops here (-j DROP, -j BAD_INPUT, and -j BAD_OUTPUT) #
# should be unnecessary, but are included here just in case an error #
# in the other chains lets something fall through. #
# #
$IPT -A FORWARD -j SHUN
$IPT -A FORWARD -i $EXTDEV0 -j IN_NETWORK
$IPT -A FORWARD -i $INTDEV0 -j OUT_NETWORK
$IPT -A FORWARD -i $INTDEV1 -j OUT_NETWORK
$IPT -A FORWARD -j LOG --log-prefix "IPT FORWARD: " $LOGOPT
$IPT -A FORWARD -j DROP
# #
$IPT -A INPUT -j SHUN
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j IN_IP_CHECK
$IPT -A INPUT -j IN_FIREWALL
$IPT -A INPUT -j BAD_INPUT
# #
$IPT -A OUTPUT -j SHUN
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j OUT_IP_CHECK
$IPT -A OUTPUT -j OUT_FIREWALL
$IPT -A OUTPUT -j BAD_OUTPUT
# #
##########################################################################

##########################################################################
# #
# INPUT TABLE CHAINS. #
# #
##########################################################################
# #
$IPT -N IN_FIREWALL
$IPT -A IN_FIREWALL -p icmp -j IN_F_ICMP
$IPT -A IN_FIREWALL -p tcp -j TCP_FLAGS
$IPT -A IN_FIREWALL -p tcp --syn -j SYN_FLOOD
$IPT -A IN_FIREWALL -p tcp -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A IN_FIREWALL -p udp -m state --state ESTABLISHED,RELATED \
-j ACCEPT

-- 
   .~.  Jean-David Beyer           Registered Linux User 85642.
   /V\                             Registered Machine   241939.
  /( )\ Shrewsbury, New Jersey     http://counter.li.org
  ^^-^^ 07:55:00 up 3 days, 16:54, 6 users, load average: 4.12, 4.08, 4.08

Next message: Lars: "HWADDR needed in ifcfg-ethX?"

Previous message: Chris: "Re: Alternatives to MS Office Opinions?"
In reply to: Reply-Via-Newsgroup Thanks: "Re: How to permit selective SSH access?"
Next in thread: Jem Berkes: "Re: How to permit selective SSH access?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

IPTables Established connection problem.
... I posted a couple weeks ago about IPTables possibly losing state. ... My established connections still freeze if I have firewalling ... $IPT -F OUTPUT ... #Log martians (packets with impossible addresses) ...
(comp.os.linux.security)
Re: Why wouldnt I do this with iptables?
... > maybe an ssh port and a mysql port? ... The way I do iptables is to turn everything off and then enable just what ... $IPT -P OUTPUT DROP # Set default policy to DROP ... Intuit's update sites, and my credit card and stock broker sites. ...
(comp.os.linux.misc)
Re: F11 iptables cant disable
... mv $ipt /etc/rc5.d/X`basename $ipt` ... As one experiment I disabled iptables, ... installed on the F11 box where I'm having the major issue with samba. ... F12 seems to show the same thing in the service GUI tool but at least ...
(Fedora)
Re: counting traffic to individual hosts behind a NAT router using ONLY iptables
... [Accounting per IP Address behind NAT Gateway] ... Use iptables' packet and byte counters. ... $IPT -t mangle -F ...
(comp.os.linux.networking)
Re: How to permit selective SSH access?
... >> I have iptables set up to deny access from anyone to anything. ... > Can I just confirm, $IPT is the full path name to iptables, true? ... $IPT -P OUTPUT DROP # Set default policy to DROP ...
(comp.os.linux.security)