Blackburn, Marvin
2012-Aug-03 20:25 UTC
[CentOS] [SOLVED] iptables rule question for Centos 5
We have a simple configuration so we could get by with this -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s "SOURCIPADDRESS" -j REJECT --reject-with icmp-host-prohibited it doesn't scale well but servies the purpose. _____________________________________ "He's no failure. He's not dead yet." William Lloyd George -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Steve Clark Sent: Thursday, August 02, 2012 1:17 PM To: CentOS mailing list Cc: Blackburn, Marvin Subject: Re: [CentOS] iptables rule question for Centos 5 On 08/02/2012 01:06 PM, Blackburn, Marvin wrote:> I have a server that allows incoming traffic for ssh and some other > things. > > I need to set up a rule that will drop/reject all traffic from a > particular server except ssh. > > How can I do that. > > > > > > _____________________________________ > "He's no failure. He's not dead yet." > William Lloyd George > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Something like this first in your ruleset: -A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d 10.0.1.90/32 ! --dport 22 -j DROP substitute your appropriate ips and interface -- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark at netwolves.com http://www.netwolves.com _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
Marvin, You're leaving SSH open to the world with that. If this is a box behind a firewall, then it's not _as much of a concern_ ... otherwise you're opening that server up to ssh brute force attempts. Your existing configuration is probably set up to drop/reject if traffic does not match any of your rules, so you've nearly solved the "blocking all other traffic" from server2. But you really should put a specific rule on server1 with source as server2 and dest port 22 being accepted. -s server2 -p tcp --dport 22 -j ACCEPT Best of luck, ---~~.~~--- Mike // SilverTip257 // On Fri, Aug 3, 2012 at 4:25 PM, Blackburn, Marvin <mblackburn at glenraven.com> wrote:> We have a simple configuration so we could get by with this > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j > ACCEPT > -A RH-Firewall-1-INPUT -s "SOURCIPADDRESS" -j REJECT --reject-with > icmp-host-prohibited > > it doesn't scale well but servies the purpose. > > > > _____________________________________ > "He's no failure. He's not dead yet." > William Lloyd George > > > -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of Steve Clark > Sent: Thursday, August 02, 2012 1:17 PM > To: CentOS mailing list > Cc: Blackburn, Marvin > Subject: Re: [CentOS] iptables rule question for Centos 5 > > On 08/02/2012 01:06 PM, Blackburn, Marvin wrote: >> I have a server that allows incoming traffic for ssh and some other >> things. >> >> I need to set up a rule that will drop/reject all traffic from a >> particular server except ssh. >> >> How can I do that. >> >> >> >> >> >> _____________________________________ >> "He's no failure. He's not dead yet." >> William Lloyd George >> >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > Something like this first in your ruleset: > -A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d > 10.0.1.90/32 ! --dport 22 -j DROP > > substitute your appropriate ips and interface > > > -- > Stephen Clark > *NetWolves* > Director of Technology > Phone: 813-579-3200 > Fax: 813-882-0209 > Email: steve.clark at netwolves.com > http://www.netwolves.com > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos