[CentOS] [SOLVED] iptables rule question for Centos 5

Sat Aug 4 03:21:11 UTC 2012
SilverTip257 <silvertip257 at gmail.com>

Marvin,

You're leaving SSH open to the world with that.
If this is a box behind a firewall, then it's not _as much of a
concern_ ... otherwise you're opening that server up to ssh brute
force attempts.

Your existing configuration is probably set up to drop/reject if
traffic does not match any of your rules, so you've nearly solved the
"blocking all other traffic" from server2.  But you really should put
a specific rule on server1 with source as server2 and dest port 22
being accepted.

-s server2 -p tcp --dport 22 -j ACCEPT

Best of luck,
---~~.~~---
Mike
//  SilverTip257  //


On Fri, Aug 3, 2012 at 4:25 PM, Blackburn, Marvin
<mblackburn at glenraven.com> wrote:
> We have a simple configuration so we could get by with this
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -s "SOURCIPADDRESS"  -j REJECT --reject-with
> icmp-host-prohibited
>
> it doesn't scale well but servies the purpose.
>
>
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of Steve Clark
> Sent: Thursday, August 02, 2012 1:17 PM
> To: CentOS mailing list
> Cc: Blackburn, Marvin
> Subject: Re: [CentOS] iptables rule question for Centos 5
>
> On 08/02/2012 01:06 PM, Blackburn, Marvin wrote:
>> I have a server that allows incoming traffic for ssh and some other
>> things.
>>
>> I need to set up a rule that will drop/reject all traffic from a
>> particular server except ssh.
>>
>> How can I do that.
>>
>>
>>
>>
>>
>> _____________________________________
>> "He's no failure. He's not dead yet."
>> William Lloyd George
>>
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> Something like this first in your ruleset:
> -A INPUT -i eth0 -p tcp -s 10.0.1.0/24 --sport 1024:65535 -d
> 10.0.1.90/32 ! --dport 22 -j DROP
>
> substitute your appropriate ips and interface
>
>
> --
> Stephen Clark
> *NetWolves*
> Director of Technology
> Phone: 813-579-3200
> Fax: 813-882-0209
> Email: steve.clark at netwolves.com
> http://www.netwolves.com
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos