-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello gentlemen and lady's,
I am trying to filter ssh traffic regardless of the port the connection is opened on. I want to do the same for rlogin and telnet. I know it would be easier to use a proxy server and only allow users to access the web... but it's more complicated... they also need other ports open... and they use public IP addresses.
Is there any way that I can do it with iptables without having to patch the kernel and iptables with l7-filter.sourceforge.net?
Thank you for your time.
Not going to happen for telnet
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Sr. Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Bazy Sent: Tuesday, September 18, 2007 16:23 To: CentOS mailing list Subject: [CentOS] filtering ssh regardless of the port
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello gentlemen and lady's,
I am trying to filter ssh traffic regardless of the port the connection is opened on. I want to do the same for rlogin and telnet. I know it would be easier to use a proxy server and only allow users to access the web... but it's more complicated... they also need other ports open... and they use public IP addresses.
Is there any way that I can do it with iptables without having to patch the kernel and iptables with l7-filter.sourceforge.net?
Thank you for your time. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG8DOe7nEMcIvWOSIRAuQNAJ9+0iQZf0GFEioN/6vRuCHxz7+6TACgharb j9rK16LXwIudeBj/oryLXNI= =650a -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jason Pyeron wrote:
Not going to happen for telnet
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Sr. Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Bazy Sent: Tuesday, September 18, 2007 16:23 To: CentOS mailing list Subject: [CentOS] filtering ssh regardless of the port
Hello gentlemen and lady's,
I am trying to filter ssh traffic regardless of the port the connection is opened on. I want to do the same for rlogin and telnet. I know it would be easier to use a proxy server and only allow users to access the web... but it's more complicated... they also need other ports open... and they use public IP addresses.
Is there any way that I can do it with iptables without having to patch the kernel and iptables with l7-filter.sourceforge.net?
Thank you for your time.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
And yes... I will use layer 7 filtering. http://l7-filter.sourceforge.net/protocols
Patch my kernel, my iptables, and "iptables -A INPUT -m layer7 --l7proto ssh -j DROP" ;)
Bazy napsal(a):
And yes... I will use layer 7 filtering. http://l7-filter.sourceforge.net/protocols
Patch my kernel, my iptables, and "iptables -A INPUT -m layer7 --l7proto ssh -j DROP" ;)
Yes, the only way. D.
No, there is another way. Using the l7filter user-space daemon.
You need to NFQUEUE target with IPTABLES and configure de L7 daemon to do the work.
I don't use it, but in http://l7-filter.sourceforge.net/HOWTO-userspace there is more information about it.
Regards
El Mie, 19 de Septiembre de 2007, 9:57, David Hrbác( escribió:
Bazy napsal(a):
And yes... I will use layer 7 filtering. http://l7-filter.sourceforge.net/protocols
Patch my kernel, my iptables, and "iptables -A INPUT -m layer7 --l7proto ssh -j DROP" ;)
Yes, the only way. D. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
ArcosCom Linux User wrote:
No, there is another way. Using the l7filter user-space daemon.
You need to NFQUEUE target with IPTABLES and configure de L7 daemon to do the work.
I don't use it, but in http://l7-filter.sourceforge.net/HOWTO-userspace there is more information about it.
Regards
El Mie, 19 de Septiembre de 2007, 9:57, David Hrbác( escribió:
Bazy napsal(a):
And yes... I will use layer 7 filtering. http://l7-filter.sourceforge.net/protocols
Patch my kernel, my iptables, and "iptables -A INPUT -m layer7 --l7proto ssh -j DROP" ;)
Yes, the only way. D. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you, your are right, I used l7-filter before and I compiled it into the kernel and iptables and I didn't take the time to read the HOWTO-userspace...
Bazy wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello gentlemen and lady's,
I am trying to filter ssh traffic regardless of the port the connection is opened on. I want to do the same for rlogin and telnet. I know it would be easier to use a proxy server and only allow users to access the web... but it's more complicated... they also need other ports open... and they use public IP addresses.
Is there any way that I can do it with iptables without having to patch the kernel and iptables with l7-filter.sourceforge.net?
Thank you for your time.
What you are looking for is a way to filter by protocol signature and I do not think that functionality is in netfilter yet.
Best bet is to just allow the connections to well knows ports or if it needs to run over another port define that explicitly.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-
ArcosCom Linux User -
Bazy -
David Hrbác( -
Jason Pyeron -
Ross S. W. Walker