Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-25-2005, 09:31 AM
|
#1
|
LQ Newbie
Registered: Oct 2003
Posts: 19
Rep:
|
deny ssh access from lan with iptables
Hi there,
Does anyone know a rule for iptables to block ssh access from a host on the lan?
For example gateway is 192.168.0.1 and i want to deny access to 192.168.0.1:22 from the host 192.168.0.50
How can I do that? Thank you
|
|
|
11-25-2005, 01:08 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
On the host 192.168.0.1 you would add the following iptables rule to your firewall:
iptables -I INPUT -s 192.168.0.50 -p tcp --dport 22 -j REJECT
|
|
|
11-25-2005, 03:54 PM
|
#3
|
LQ Newbie
Registered: Oct 2003
Posts: 19
Original Poster
Rep:
|
thank you very much
i was using -A instead of -I and I assume thats why it didnt work. oh boy
you are a life saviour 
|
|
|
11-25-2005, 10:22 PM
|
#4
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Rule order can be a real "gotcha" sometimes. The -I option will insert the rule at the beginning of the firewall while -A will "append" it to the bottom. So I'm guessing you had a rule earlier on in the firewall that was dropping or rejecting packets before they got to your rule. You can use -A, but you'd need to modify your firewall script and put that rule towards the top.
By the way, you'll need to save your modified firewall rules otherwise the firewall will reset after a reboot. How to save your rules can vary depending on your distro, so which one are you using?
|
|
|
11-26-2005, 01:07 AM
|
#5
|
LQ Newbie
Registered: Oct 2003
Posts: 19
Original Poster
Rep:
|
So, do you mean its not enough if I just add that line to the firewall script? If I will reboot, when firewall will be launched, then that line would be executed too, right?
I use a custom firewall, nothing fancy (didnt really get what you mean by that sir), and distro is slackware, firewall resides in /etc/rc.d/rc.firewall
Thank you again for helping me 
|
|
|
11-26-2005, 01:28 AM
|
#6
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
So, do you mean its not enough if I just add that line to the firewall script? If I will reboot, when firewall will be launched, then that line would be executed too, right?
If you are adding it to a script, then yes it should be loaded on boot. I wasn't sure if you were doing that or just running the command from the command line. So you should be all set.
Thank you again for helping me
No problem.
|
|
|
11-30-2005, 04:35 AM
|
#7
|
LQ Newbie
Registered: Oct 2003
Posts: 19
Original Poster
Rep:
|
one more newbie question from me, Capt_Caveman
if i want to allow ssh only from one host ( for example 192.168.0.80) i tried to do...
iptables -I INPUT -p tcp -s 192.168.0.80 --destination-port 22 -j ACCEPT
and to drop the packets from the rest of the hosts on the lan i tried, right after the above rule:
iptables -I INPUT -p tcp -s 192.168.0.0/24 --destination-port 22 -j DROP
I am obviously doing something wrong, because after i insert this rule the host 192.168.0.80 cannot connect either
Please help me solve it 
|
|
|
11-30-2005, 10:07 AM
|
#8
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
It would probably help if you posted your firewall script, but based on the above I'd guess that the problem has to do with rule order. Since you're using the -I option, whichever rule is entered last is inserted at the top. Like this:
Here is our example firewall script:
iptables -A rule X
iptables -A rule Y
iptables -A rule Z
If you look at the order these rules appear in the actual firewall, it will look like this:
rule X
rule Y
rule Z
So when a packet is received, it will be processed in the order X->Y->Z
So let's add your first rule (the one with the ACCEPT target), which I'll just call rule 1:
iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1
Since that rule uses the -I option it is added to the beginning of the firewall, so if you look at the rule order in the firewall using iptables -L you would see this:
rule 1
rule X
rule Y
rule Z
And packets would be processed in the order 1->X->Y->->Z
Now add the second rule (the one that drops packets from the rest of the LAN) which I'll call rule 2:
iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1
iptables -I rule 2
This time the firewall looks like this:
rule 2
rule 1
rule X
rule Y
rule Z
So rule 2 is actually coming before rule 1 and packets are processed like this 2->1->X->Y->Z. So all our packets are getting dropped.
Now just to use an example in order to clarify -I vs -A, say you had a third rule (rule 3) and you decided to use -A instead. You enter the rules like this:
iptables -A rule X
iptables -A rule Y
iptables -A rule Z
iptables -I rule 1
iptables -I rule 2
iptables -A rule 3
When you look at the firewall, it would look like this:
rule 2
rule 1
rule X
rule Y
rule Z
rule 3
and our packets would get process in the order 2->1->X->Y->Z->3
Hopefully that clears up -A vs -I and rule ordering a bit.
You can fix this by switching the order you are entering rule 1 and 2 or what you really should do is use the -A option for *all* the rules, but just make sure everything is in the proper order. If you post your firewall ruleset, I'll give you a hand doing that. Make sure to remove any public IP addresses from your rules before posting.
|
|
|
11-30-2005, 05:25 PM
|
#9
|
LQ Newbie
Registered: Oct 2003
Posts: 19
Original Poster
Rep:
|
Thank you again, Capt_Caveman
The firewall I use its "inherited" if i can say so from the former network administrator, who is a good friend of mine but he will be gone for the next 4 months out of the country so he cannot help me much. His firewall is much "scripted" and "automated" - hey, im the newbie here  - think he has declared some variables like nat...internal interface, ext interface, spoof, DOS protection, syn.. etc.. etc... and using those. I think this is the part where the firewall does not need to be modified. BUT the firewall loads a file called "custom-rules" where I'm supposed to be able to insert some rules...the custom-rules file is not loaded neither at the beginning or the end of the firewall execution script... somewhere in the middle (after some spoofing/dos/syn protection thingy)
I think I have tried adding the rules with -A instead of -I to that custom-rules file.. restarted firewall but I think it didnt work.... have not tried using -I and reversing the order as you suggested because I'm not logged into that machine, but I might be able to try it tomorrow.
So, if that won't work either.. I'm lost 
|
|
|
12-01-2005, 04:29 PM
|
#10
|
LQ Newbie
Registered: Oct 2003
Posts: 19
Original Poster
Rep:
|
Thanks God its friday
been tampering with the firewall (the custom-rules part I have) after you were so kind to explain to me the order and using -A INPUT to allow ssh from one ip then -A INPUT to deny for the rest of the LAN. Actually at first i was just adding the rules from command line and they didnt seem to work. After I inserted those lines into the custom-rules and restarting the firewal... TADAAAA.. it was working.
Think you heard that before, but you rule Capt_Caveman
Problem solved. Thank you.
|
|
|
12-01-2005, 07:11 PM
|
#11
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Think you heard that before, but you rule Capt_Caveman 
Lol. Not really, but thanks for saying so
Problem solved. Thank you.
Cool. Glad I could help.
|
|
|
All times are GMT -5. The time now is 06:27 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|