Re: iptables & tcp wrappers

From: Ed J. Aivazian (stealth_at_arminco.com)
Date: 09/28/04

  • Next message: Jan Gerrit Göbel: "Re: iptables & tcp wrappers"
    Date: Tue, 28 Sep 2004 14:16:31 +0500
    To: "Meatplow" <greg@meatplow.com>
    
    

    Hello Meatplow,

    Saturday, September 25, 2004, 1:57:26 AM, you wrote:

    finding line numbers is simple.
    --line-numbers.
    if you need to restrict ssh for everyone except those you trust,
    something like this is fine and flexible.

    TRUSTEDHOSTS="1.2.3.4 5.6.7.8"

    for host in $TRUSTEDHOSTS do;
        iptables -A INPUT -j ACCEPT -p tcp -s $host --dport ssh
    done;

    iptables -A INPUT -j DROP -p tcp --dport ssh

    As for collecting statistics for the non-trusted attempts, you can make use of
    the iptables LOG target. Get the iptables-tutorial document, I believe
    this is the best guide to iptables and to the theory of firewalls in
    general.
    Luck!

    M> -----BEGIN PGP SIGNED MESSAGE-----
    M> Hash: SHA1

    M> Hello.

    M> I'm running RH Enterprise edition.

    M> I'm relatively new to iptables. I am getting the common intrusion
    M> attempts with some of the common uses of test/guest/root/ and a
    M> couple others I've been able to add the IPs to the to iptables.,
    M> but
    M> I'd really like a log that tells me the info that I want to know.

    M> My basic input command is this :
    M> #iptables -A INPUT -p tcp -s PUT_IP_HERE -d 0/0 --syn -j DROP

    M> iptables seem a little convoluted. Example. To delete a line -
    M> supposedly give it a line and it will be deleted/modified. My
    M> problem is even with #iptable -L -v there is no line number ?

    M> My goal is to block all incoming ssh attempts except IP#.
    M> This is where I got into hosts.allow/deny as mentioned below.

    M> I've tried to find many different types of commands and it works to
    M> some degree, but not the way I'd expect it to.

    M> Any help would be appreciated. I'm not completely sure that I
    M> understand iptables as well as I want/need to. I've also toyed
    M> around with the hosts.allow/hosts.deny and have not been successful.

    M> I know that there is a lot of info in here, and I'm tired. I'll
    M> leave it at that

    M> Thanks in advance for your time and help.

    M> Meatplow
    M> greg ta meatplow.com

    M> Thanks again.

    M> -----BEGIN PGP SIGNATURE-----
    M> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

    M> iQA/AwUBQVSBsR42gIcyjrnjEQJIqwCfWAShp7r+J1XNNjQq6sbvvD03WZ8AoNrg
    M> ctQ837g5pQDafgBhTTeeMr1V
    M> =niWK
    M> -----END PGP SIGNATURE-----

    -- 
    Best regards,
     Ed                            mailto:stealth@arminco.com
    

  • Next message: Jan Gerrit Göbel: "Re: iptables & tcp wrappers"