Iptable rule to block outgoing ip addresses except some
Hi All
I don't want my server to communicate with other servers using SSH except some servers. Please have a look at the following rule and let me know if this is correct. Quote:
|
Have a look at this one;
Code:
iptables -I OUTPUT --dst-range ! 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT |
Quote:
|
Hi Lazydog
"--dst-range" is not working. I think i have to go with the "ipset" option |
Note that while port 22 is the default, there is no guarantee that port 22 will be used. OK, you can easily argue that it could be way better than nothing for preventing ssh to 'random' servers, if there is a case that the remote SSH box could be under the command of one of your users, then they could change that port to almost anything (and then any 'port 22 based' blocking would fail).
(Changing the ssh port is also used as a 'security measure'; I don't think it is too controversial to say that, on its own, it is a poor security measure, but it does mean that there is a population of boxes where a non-default port is used for entirely legitimate, if often poor, reasons.) |
Quote:
|
Hi All
I have achieved blocking multiple ip addresses using IPSET Quote:
|
Quote:
So with the "!", it would mean that we would ignore the range of 192.1681.2, 192.168.2.3, 198.168.3.3 ? thanks |
Quote:
|
All times are GMT -5. The time now is 12:09 AM. |