[NTLUG:Discuss] SSH
severian@pobox.com
severian at pobox.com
Thu Oct 16 00:27:49 CDT 2003
In response to the welcome remarks of David at 10:07 PM 10/15/03 -0500:
>On Tue, Oct 14, 2003 at 11:33:47PM -0500, severian at pobox.com wrote:
> > Your post brought up further questions which I put below your words.
> > Thanks,
> > Ralph
>
>I'll guess at the question based on your comments, since you seem to
>have forgotten to actually put the question into words.
Good call. Although strictly speaking, I did put them into words. As
Don Pardo would have said, I did not put them into the form of questions.
> > Actually I have just one ethernet port. I started out with two
>
>The question I think is lurking in there is "How do I do this if I
>have only one ethernet port?"
>
>The general intent of my IP Tables rules was to accept all packets
>from your internal network, and filter out those coming from outside,
>excepting the authorized SSH traffic.
My switch will only send traffic destined for my IP address to me.
(and, I suppose, a few broadcast packets) By closing all ports except 22,
aren't I taking care of this? It seems like a small modification of your
suggestion from yesterday is still a nice quick way to do it. I noticed
you allowed the DNS port, as well as SSH. So doesn't the folowing seem
reasonable?
iptables -A INPUT -i eth0 -p tcp -s 123.456.789.226/255.255.255.248 \
--dstport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dstport 53 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
Note that the first three octets of the IP address are wrong. I did not
think I should put the real address here.
>will always be the router's ethernet address. The "iptables" command
>has an option for this:
>
> --mac-source [!] address
>
I don't understand the need for this, but I will study on it. Thanks.
And I note that there are questions in the form of a question
above. Thank you for the advice.
Good day,
Ralph
More information about the Discuss
mailing list