Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to block ICMP and limit SSH and HTTPD traffic to eth0
My orginal iptables looks like this
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Start Custom Rules
-A INPUT -p tcp --dport 6000 -j ACCEPT -m comment --comment "New application
# End Custom Rules
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 0x2
-A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 0x2
COMMIT
I have amended the rule to drop ICMP traffic by changing Accept to DROP
-A INPUT -p icmp -j DROP (this works fine)
Now i changed to amend the SSH rule
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT to included -i eth0 to limit SSH connections to eth0 only. But i can ssh to all the interfaces just not eth0
I have not tried httpd as yet just in case it breaks the box.
I am new to iptables, can someone tell me what is wrong with the rules and how to limit the traffic to eth0 only.
This does not work and when i run the command i get
iptables: Invalid argument. Run `dmesg' for more information.
I have changed the iptables to following but it accepting SSH connectin on all interfaces:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:6000 /*New Application */
DROP all -- anywhere anywhere
DROP icmp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@CentoOS]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6000 -m comment --comment "New Application" -j ACCEPT
-A INPUT -j DROP
-A INPUT -p icmp -j DROP
-A FORWARD -j DROP
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.