RE: iptables & tcp wrappers
From: Whelan, Paul (Paul.Whelan_at_fmr.com)
Date: Thu, 30 Sep 2004 13:09:21 -0400 To: "Ed J. Aivazian" <email@example.com>, "Meatplow" <firstname.lastname@example.org>
iptables will accept multiple hosts in the rule. You can do this like:
iptables -A INPUT -p tcp -s ! 126.96.36.199/32,188.8.131.52/32 --dport 22 -j DROP
This consolodates those 3 rules below into one.
From: Ed J. Aivazian [mailto:email@example.com]
Sent: Tuesday, September 28, 2004 5:17 AM
Subject: Re: iptables & tcp wrappers
Saturday, September 25, 2004, 1:57:26 AM, you wrote:
finding line numbers is simple.
if you need to restrict ssh for everyone except those you trust,
something like this is fine and flexible.
for host in $TRUSTEDHOSTS do;
iptables -A INPUT -j ACCEPT -p tcp -s $host --dport ssh
iptables -A INPUT -j DROP -p tcp --dport ssh
As for collecting statistics for the non-trusted attempts, you can make
the iptables LOG target. Get the iptables-tutorial document, I believe
this is the best guide to iptables and to the theory of firewalls in
M> -----BEGIN PGP SIGNED MESSAGE-----
M> Hash: SHA1
M> I'm running RH Enterprise edition.
M> I'm relatively new to iptables. I am getting the common intrusion
M> attempts with some of the common uses of test/guest/root/ and a
M> couple others I've been able to add the IPs to the to iptables.,
M> I'd really like a log that tells me the info that I want to know.
M> My basic input command is this :
M> #iptables -A INPUT -p tcp -s PUT_IP_HERE -d 0/0 --syn -j DROP
M> iptables seem a little convoluted. Example. To delete a line -
M> supposedly give it a line and it will be deleted/modified. My
M> problem is even with #iptable -L -v there is no line number ?
M> My goal is to block all incoming ssh attempts except IP#.
M> This is where I got into hosts.allow/deny as mentioned below.
M> I've tried to find many different types of commands and it works to
M> some degree, but not the way I'd expect it to.
M> Any help would be appreciated. I'm not completely sure that I
M> understand iptables as well as I want/need to. I've also toyed
M> around with the hosts.allow/hosts.deny and have not been successful.
M> I know that there is a lot of info in here, and I'm tired. I'll
M> leave it at that
M> Thanks in advance for your time and help.
M> greg ta meatplow.com
M> Thanks again.
M> -----BEGIN PGP SIGNATURE-----
M> Version: PGPfreeware 6.5.8 for non-commercial use
M> -----END PGP SIGNATURE-----
-- Best regards, Ed mailto:firstname.lastname@example.org