IPtables: close ssh for all except one IP
Hi.
Are a beginner at iptables. I have a server with DNS and mail, I want to make sure that only I can access the machine with ssh. How do I drop every attempt to access ssh except mine (192.168.100.158). Have tried, tested an searched for an awnser but can't find it. I'am runing Fedora and this is a copy of iptables: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Thank you in advanced Regards Krister |
Use tcp wrapper to do the job.
in your /etc/hosts.allow add sshd: ALL@yourIP |
Hi.
It didn't work. I removed the DROP line and -s 192.168.100.158 in the ACCept line. I even rebooted the machine, I can still log in to it from another IP. Have I forgotten something else? Regards Krister |
hosts.allow
sshd: ALL@YourIP hosts.deny #http-rman : ALL EXCEPT LOCAL ALL : ALL Check it again |
You could use the ! (not) in your rules. So get rid of the following two lines:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT And replace them with iptables -A INPUT -s !192.168.100.158 -p tcp --dport 22 -j DROP Essentially, any IP address that is NOT 192.168.100.158 isn't allowed to connect to port 22. By the way, your original set of rules probably didn't work because they were in the wrong order. The packet hit the rule to drop all new traffic heading for port 22 and was dropped. It never saw the rule to accept from your IP address. Remember, iptables executes the rules in order and stops once it has a rule that matches the packet. |
Hi.
Thank you both for your help. I didn't get the firewall solution to work, but I got the tcp wrapper to work when I changed the deny to sshd: ALL (I didn't want to close for smtp and dns). Regards Krister |
put in your hosts.allow
sendmail : ALL |
You know Krister, that really isn't much of a firewall. If I'm reading it correctly, the ONLY things that don't get through are packets heading to port 22 and anything matching the --icmp-host-prohibited rule. It is a much better idea to DROP everything and then open only the ports you need.
Just my :twocents: |
Hi Hangdog42,
What should I add to the iptables to drop all package but for ports 22, 25, 53 and samba. I know that I shoud have a rule after the other but what. My IPtables looks like this now (the rukes): -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 22 -s 192.168.100.158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited Got the firewall working after I removed the "crape" that the system automaticly added. /Krister |
Well, the biggest weakness in your original firewall is that the defaults are set to ACCEPT. Set them to DROP
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP Now that everything is locked down, start allowing the stuff you want. For starters, allow loopback iptables -A INPUT -i lo -j ACCEPT Then allow specific ports to be open iptables -A INPUT -p tcp --dport 22 -j ACCEPT Decorate these rules with any limitations you need, such as -s flags Also allow ESTABLISHED and RELATED packets iptables -A INPUT -m state --state ESTABLISHED,RELATED - j ACCEPT Then on your ouptut chain, you can allow NEW as well as ESTABLISHED and RELATED iptables -A OUTPUT -m state --state NEW,ESTABLISHED, RELATED - j ACCEPT You are going to want to all some logging rules so you can see what things are being dropped. Please note that this is a very simple firewall. You certainly need to do a more reading in the security forum and get a good understanding of what else may be useful to have. You are also going to want to install an IDS like Snort and a file monitor like Aide or Tripwire. |
Hangdog - I'm an extreme novice when it comes to security but I'm trying to read up on it and I definitely appreciate your clear descriptive comments on this topic. I know I have a long way to go and a lot of reading still to do, but posts such as yours definitely are a huge assist. Thanks -- J.W.
|
Thanks for the compliment J.W. Of course, people like unSpawn, chort and Capt. Caveman have forgotten more about security than I'll ever know so don't take my musings as anything more than another newbie trying to learn......
|
Hi Hangdog42,
Thanks for your help I will try it as soon as possible. As I said in the beginnig I am a beginner with IPtables, I have better understand now than before. But I have no know idea what IDS, Snort, Aide or Tripwire is. Do you know where I could get some information so I don't fly in the dark. And once more, thanks for your help. Regards Krister |
One of the best starting points is unSpawn's sticky thread at the top of the forum. The amount of information he's collected there is amazing.
But just to define a few terms for you Snort is an Intrusion Detection System (IDS). Basically it monitors your network interface for traffic that looks like an attack. It won't stop the attack, but it can warn you and (hopefully) preserve a record of what happened in case a hacker got through. Both Aide and Tripwire are programs that monitor file integrity. If I understand them correctly, they take a "snapshot" of the files on your disk and then can use that snapshot at later times to see if any of the files have been altered. Again, if the worst happens, these programs could tell you what files were changed. |
All times are GMT -5. The time now is 01:56 PM. |