PDA

View Full Version : Restricting ssh access in iptables

tebucky
14th January 2005, 02:12 PM
I am a newbie to iptables and I'm having some issues. Reading through /var/log/secure I am seeing tons of attempts to break into my machine. I want to config iptables to only allow specific IP's for ssh and drop all others. Could someone be kind enough to walk me through this process? This is how my iptables are currently configed.
##############################################
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s <IP Addy> --dport 22 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s <IP Addy> --dport 22 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s <IP Addy> --dport 22 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 139 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
###########################################
Could someone give me a hand and break this down?
Please excuse any bonehead mistakes :(

TIA!!!
vinu
14th January 2005, 05:10 PM
The simplest firewall that you could use would be the following:

iptables -P INPUT DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -s aa.bb.aa.bb -d xx.yy.xx.yy -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -d xx.yy.xx.yy -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -d xx.yy.xx.yy -m state --state NEW -j DROP

where xx.yy.xx.yy is your computers public ip address and aa.bb.aa.bb is the ip address that you want to enable ssh access for.
Jman
15th January 2005, 03:03 AM

Also note you can edit sshd's config (at /etc/ssh/sshd_config I belive). Remove the # comment from in front of ListenAddress and specify an ip.
sunckell
18th January 2005, 01:26 PM
tebucky,

If you want to ensure the connections are dropped iptables is good, but if all you want is to limit who can connect via ssh, ssh is built with tcp wrapper support. Add SSHD: ALL in /etc/hosts.deny, then add SSHD: $yourip1, $yourip2 in /etc/hosts.allow

Just a thought.
sunckell