[NTLUG:Discuss] SSH

[David]

On Tue, Oct 14, 2003 at 11:33:47PM -0500, severian at pobox.com wrote:
>   Your post brought up further questions which I put below your words.
> Thanks,
> Ralph

I'll guess at the question based on your comments, since you seem to
have forgotten to actually put the question into words.

> >I assume that you're using two separate ethernets, with eth0 being
> >your internal net, and eth1 being your external connection.  Modify
> >accordingly.

>    Actually I have just one ethernet port.  I started out with two 
> ethernet cards, but I decided that was needlessly complex.  There is a 
> router/gateway box supplied by the ISP(a Cicso 1720).  It is a 
> firewall(somewhat), NAT, a DHCP server for most office machine(who get IP 
> addresses in the 10.0.1.x range) and a gateway for my small range of static 
> IP addresses.  The 1720 LAN port(not the WAN port) gets plugged into the 
> same 16 port switch as this Linux box and every other machine in the office.

The question I think is lurking in there is "How do I do this if I
have only one ethernet port?"

The general intent of my IP Tables rules was to accept all packets
from your internal network, and filter out those coming from outside,
excepting the authorized SSH traffic.  

You can still do this, even with just one ethernet.  Note that all
external traffic will have to pass through your router.  While the
source IP addresses may vary greatly, the MAC address (OSI layer 2)
will always be the router's ethernet address.  The "iptables" command
has an option for this: 

       --mac-source [!] address
              Match  source  MAC  address.    It   must   be   of   the   form
              XX:XX:XX:XX:XX:XX.   Note that this only makes sense for packets
              coming from an Ethernet device and entering the PREROUTING, FOR-
              WARD or INPUT chains.

-- 
David Hayes
david at hayes-family.org