Close ssh for all except one IP

krilen · 03-24-2004, 07:47 AM

Hi.

Are a beginner at iptables.

I have a server with DNS and mail, I want to make sure that only I can access the machine with ssh. How do I drop every attempt to access ssh except mine (192.168.100.158).

Have tried, tested an searched for an awnser but can't find it.

I'am runing Fedora and this is a copy of iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Thank you in advanced

Regards
Krister

dominant · 03-24-2004, 08:15 AM

Use tcp wrapper to do the job.
in your /etc/hosts.allow add

sshd: ALL@yourIP

krilen · 03-24-2004, 08:49 AM

Hi.

It didn't work.

I removed the DROP line and -s 192.168.100.158 in the ACCept line.

I even rebooted the machine, I can still log in to it from another IP. Have I forgotten something else?

Regards
Krister

dominant · 03-24-2004, 09:06 AM

hosts.allow
sshd: ALL@YourIP

hosts.deny
#http-rman : ALL EXCEPT LOCAL
ALL : ALL

Check it again

Hangdog42 · 03-24-2004, 09:10 AM

You could use the ! (not) in your rules. So get rid of the following two lines:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT

And replace them with

iptables -A INPUT -s !192.168.100.158 -p tcp --dport 22 -j DROP

Essentially, any IP address that is NOT 192.168.100.158 isn't allowed to connect to port 22.

By the way, your original set of rules probably didn't work because they were in the wrong order. The packet hit the rule to drop all new traffic heading for port 22 and was dropped. It never saw the rule to accept from your IP address. Remember, iptables executes the rules in order and stops once it has a rule that matches the packet.

krilen · 03-25-2004, 04:24 AM

Hi.

Thank you both for your help.

I didn't get the firewall solution to work, but I got the tcp wrapper to work when I changed the deny to sshd: ALL (I didn't want to close for smtp and dns).

Regards
Krister

dominant · 03-25-2004, 06:50 AM

put in your hosts.allow

sendmail : ALL

Hangdog42 · 03-25-2004, 07:24 AM

You know Krister, that really isn't much of a firewall. If I'm reading it correctly, the ONLY things that don't get through are packets heading to port 22 and anything matching the --icmp-host-prohibited rule. It is a much better idea to DROP everything and then open only the ports you need.

Just my

krilen · 03-26-2004, 09:26 AM

Hi Hangdog42,

What should I add to the iptables to drop all package but for ports 22, 25, 53 and samba. I know that I shoud have a rule after the other but what.

My IPtables looks like this now (the rukes):

-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 22 -s 192.168.100.158 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Got the firewall working after I removed the "crape" that the system automaticly added.

/Krister

Hangdog42 · 03-26-2004, 10:16 AM

Well, the biggest weakness in your original firewall is that the defaults are set to ACCEPT. Set them to DROP

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Now that everything is locked down, start allowing the stuff you want. For starters, allow loopback

iptables -A INPUT -i lo -j ACCEPT

Then allow specific ports to be open

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Decorate these rules with any limitations you need, such as -s flags

Also allow ESTABLISHED and RELATED packets

iptables -A INPUT -m state --state ESTABLISHED,RELATED - j ACCEPT

Then on your ouptut chain, you can allow NEW as well as ESTABLISHED and RELATED

iptables -A OUTPUT -m state --state NEW,ESTABLISHED, RELATED - j ACCEPT

You are going to want to all some logging rules so you can see what things are being dropped.

Please note that this is a very simple firewall. You certainly need to do a more reading in the security forum and get a good understanding of what else may be useful to have. You are also going to want to install an IDS like Snort and a file monitor like Aide or Tripwire.

J.W. · 03-26-2004, 01:05 PM

Hangdog - I'm an extreme novice when it comes to security but I'm trying to read up on it and I definitely appreciate your clear descriptive comments on this topic. I know I have a long way to go and a lot of reading still to do, but posts such as yours definitely are a huge assist. Thanks -- J.W.

Hangdog42 · 03-26-2004, 01:25 PM

Thanks for the compliment J.W. Of course, people like unSpawn, chort and Capt. Caveman have forgotten more about security than I'll ever know so don't take my musings as anything more than another newbie trying to learn......

krilen · 03-26-2004, 01:37 PM

Hi Hangdog42,

Thanks for your help I will try it as soon as possible. As I said in the beginnig I am a beginner with IPtables, I have better understand now than before. But I have no know idea what IDS, Snort, Aide or Tripwire is. Do you know where I could get some information so I don't fly in the dark.

And once more, thanks for your help.

Regards
Krister

Hangdog42 · 03-26-2004, 05:07 PM

One of the best starting points is unSpawn's sticky thread at the top of the forum. The amount of information he's collected there is amazing.

But just to define a few terms for you

Snort is an Intrusion Detection System (IDS). Basically it monitors your network interface for traffic that looks like an attack. It won't stop the attack, but it can warn you and (hopefully) preserve a record of what happened in case a hacker got through.

Both Aide and Tripwire are programs that monitor file integrity. If I understand them correctly, they take a "snapshot" of the files on your disk and then can use that snapshot at later times to see if any of the files have been altered. Again, if the worst happens, these programs could tell you what files were changed.