LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Stopping outbound SSH with IPTables (http://www.linuxquestions.org/questions/linux-security-4/stopping-outbound-ssh-with-iptables-393133/)

Harlin 12-15-2005 08:33 AM

Stopping outbound SSH with IPTables
 
I would like to stop outbound ssh (port 22) using IPTables. Does anyone know what I would need to type with IPTables to get this to work?

bulliver 12-16-2005 02:34 AM

Code:

# iptables -A OUTPUT -i eth0 -p tcp --dport 22 -j DROP
Lotsa docs here:
http://www.netfilter.org/documentation/index.html

imitheos 12-16-2005 07:35 AM

Quote:

Originally Posted by Harlin
I would like to stop outbound ssh (port 22) using IPTables. Does anyone know what I would need to type with IPTables to get this to work?

Have you read the iptables manpage (man iptables) and/or the http://iptables-tutorial.frozentux.net ?
The match you want is the simplest that exist.
Also did you search the forums here ?

Anyway,
You want to drop outbound traffic, so the chain you want is "OUTPUT"
You want to drop SSH traffic,so the protocol is "tcp" and the port is "22".

you build the rule like this.

Code:

iptables -A OUTPUT -p tcp --dport 22 -j DROP
You can add the interface with "-i" like bulliver mentioned.Without it, the rule is more generic.
You can also add "--syn" to match only SYN packets (the ones that start the connection).

Harlin 12-16-2005 12:05 PM

Thanks for the help and the links!

win32sux 12-18-2005 11:21 AM

Quote:

Originally Posted by bulliver
Code:

# iptables -A OUTPUT -i eth0 -p tcp --dport 22 -j DROP

that "-i" should really be a "-o"...

BTW Harlin, being that this is on the local machine, i think it might be nicer to use the REJECT target instead of DROP... also, you could specify a match for NEW packets, so that if TCP port 22 needs to be used as part of a RELATED connection for another protocol it won't be affected...

Code:

iptables -A OUTPUT -p TCP -o eth0 --dport 22 \
-m state --state NEW -j REJECT


bulliver 12-18-2005 01:14 PM

Quote:

that "-i" should really be a "-o"...
Good catch...


All times are GMT -5. The time now is 05:49 PM.