LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-25-2005, 09:31 AM   #1
NuLLiFiEd
LQ Newbie
 
Registered: Oct 2003
Posts: 19

Rep: Reputation: 0
deny ssh access from lan with iptables


Hi there,

Does anyone know a rule for iptables to block ssh access from a host on the lan?

For example gateway is 192.168.0.1 and i want to deny access to 192.168.0.1:22 from the host 192.168.0.50

How can I do that? Thank you
 
Old 11-25-2005, 01:08 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
On the host 192.168.0.1 you would add the following iptables rule to your firewall:
iptables -I INPUT -s 192.168.0.50 -p tcp --dport 22 -j REJECT
 
Old 11-25-2005, 03:54 PM   #3
NuLLiFiEd
LQ Newbie
 
Registered: Oct 2003
Posts: 19

Original Poster
Rep: Reputation: 0
thank you very much

i was using -A instead of -I and I assume thats why it didnt work. oh boy

you are a life saviour
 
Old 11-25-2005, 10:22 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Rule order can be a real "gotcha" sometimes. The -I option will insert the rule at the beginning of the firewall while -A will "append" it to the bottom. So I'm guessing you had a rule earlier on in the firewall that was dropping or rejecting packets before they got to your rule. You can use -A, but you'd need to modify your firewall script and put that rule towards the top.

By the way, you'll need to save your modified firewall rules otherwise the firewall will reset after a reboot. How to save your rules can vary depending on your distro, so which one are you using?
 
Old 11-26-2005, 01:07 AM   #5
NuLLiFiEd
LQ Newbie
 
Registered: Oct 2003
Posts: 19

Original Poster
Rep: Reputation: 0
So, do you mean its not enough if I just add that line to the firewall script? If I will reboot, when firewall will be launched, then that line would be executed too, right?

I use a custom firewall, nothing fancy (didnt really get what you mean by that sir), and distro is slackware, firewall resides in /etc/rc.d/rc.firewall

Thank you again for helping me
 
Old 11-26-2005, 01:28 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
So, do you mean its not enough if I just add that line to the firewall script? If I will reboot, when firewall will be launched, then that line would be executed too, right?
If you are adding it to a script, then yes it should be loaded on boot. I wasn't sure if you were doing that or just running the command from the command line. So you should be all set.

Thank you again for helping me
No problem.
 
Old 11-30-2005, 04:35 AM   #7
NuLLiFiEd
LQ Newbie
 
Registered: Oct 2003
Posts: 19

Original Poster
Rep: Reputation: 0
one more newbie question from me, Capt_Caveman


if i want to allow ssh only from one host ( for example 192.168.0.80) i tried to do...

iptables -I INPUT -p tcp -s 192.168.0.80 --destination-port 22 -j ACCEPT

and to drop the packets from the rest of the hosts on the lan i tried, right after the above rule:

iptables -I INPUT -p tcp -s 192.168.0.0/24 --destination-port 22 -j DROP

I am obviously doing something wrong, because after i insert this rule the host 192.168.0.80 cannot connect either

Please help me solve it
 
Old 11-30-2005, 10:07 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
It would probably help if you posted your firewall script, but based on the above I'd guess that the problem has to do with rule order. Since you're using the -I option, whichever rule is entered last is inserted at the top. Like this:

Here is our example firewall script:

iptables -A rule X
iptables -A rule Y
iptables -A rule Z

If you look at the order these rules appear in the actual firewall, it will look like this:

rule X
rule Y
rule Z

So when a packet is received, it will be processed in the order X->Y->Z

So let's add your first rule (the one with the ACCEPT target), which I'll just call rule 1:

iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1

Since that rule uses the -I option it is added to the beginning of the firewall, so if you look at the rule order in the firewall using iptables -L you would see this:

rule 1
rule X
rule Y
rule Z

And packets would be processed in the order 1->X->Y->->Z

Now add the second rule (the one that drops packets from the rest of the LAN) which I'll call rule 2:

iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1
iptables -I rule 2

This time the firewall looks like this:

rule 2
rule 1
rule X
rule Y
rule Z

So rule 2 is actually coming before rule 1 and packets are processed like this 2->1->X->Y->Z. So all our packets are getting dropped.

Now just to use an example in order to clarify -I vs -A, say you had a third rule (rule 3) and you decided to use -A instead. You enter the rules like this:

iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1
iptables -I rule 2
iptables -A rule 3

When you look at the firewall, it would look like this:

rule 2
rule 1
rule X
rule Y
rule Z
rule 3

and our packets would get process in the order 2->1->X->Y->Z->3

Hopefully that clears up -A vs -I and rule ordering a bit.

You can fix this by switching the order you are entering rule 1 and 2 or what you really should do is use the -A option for *all* the rules, but just make sure everything is in the proper order. If you post your firewall ruleset, I'll give you a hand doing that. Make sure to remove any public IP addresses from your rules before posting.
 
Old 11-30-2005, 05:25 PM   #9
NuLLiFiEd
LQ Newbie
 
Registered: Oct 2003
Posts: 19

Original Poster
Rep: Reputation: 0
Thank you again, Capt_Caveman

The firewall I use its "inherited" if i can say so from the former network administrator, who is a good friend of mine but he will be gone for the next 4 months out of the country so he cannot help me much. His firewall is much "scripted" and "automated" - hey, im the newbie here - think he has declared some variables like nat...internal interface, ext interface, spoof, DOS protection, syn.. etc.. etc... and using those. I think this is the part where the firewall does not need to be modified. BUT the firewall loads a file called "custom-rules" where I'm supposed to be able to insert some rules...the custom-rules file is not loaded neither at the beginning or the end of the firewall execution script... somewhere in the middle (after some spoofing/dos/syn protection thingy)

I think I have tried adding the rules with -A instead of -I to that custom-rules file.. restarted firewall but I think it didnt work.... have not tried using -I and reversing the order as you suggested because I'm not logged into that machine, but I might be able to try it tomorrow.

So, if that won't work either.. I'm lost
 
Old 12-01-2005, 04:29 PM   #10
NuLLiFiEd
LQ Newbie
 
Registered: Oct 2003
Posts: 19

Original Poster
Rep: Reputation: 0
Thanks God its friday

been tampering with the firewall (the custom-rules part I have) after you were so kind to explain to me the order and using -A INPUT to allow ssh from one ip then -A INPUT to deny for the rest of the LAN. Actually at first i was just adding the rules from command line and they didnt seem to work. After I inserted those lines into the custom-rules and restarting the firewal... TADAAAA.. it was working.

Think you heard that before, but you rule Capt_Caveman

Problem solved. Thank you.
 
Old 12-01-2005, 07:11 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Think you heard that before, but you rule Capt_Caveman
Lol. Not really, but thanks for saying so

Problem solved. Thank you.
Cool. Glad I could help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 11:27 AM
SSH access from outside the LAN? jdp Linux - Newbie 1 05-02-2004 01:12 PM
Deny some users access to the web with IPtables? osX-linux Linux - Networking 4 06-22-2003 01:42 PM
iptables and EXTIP access from LAN kajboj Linux - Security 1 02-06-2002 12:11 PM
iptables and EXTIP access from LAN kajboj Linux - Networking 1 02-04-2002 04:09 AM


All times are GMT -5. The time now is 05:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration