On Sun, Sep 02, 2001 at 02:54:47PM -0700, Mike Egglestone wrote: | Quoting dman <[EMAIL PROTECTED]>: | | > On Sun, Sep 02, 2001 at 10:10:25AM -0700, Mike Egglestone wrote: | > | Hi all, | > | | > | What would be a good ipchains command to block all tcp traffic | > | to and from a box except "ssh"? | > | I have a box that will only be running rsync thru ssh. | > | | > | This is what I tried, but I don't think it worked. | > | | > | ipchains -I input -p tcp -s 0/0 -d 0/0 ! ssh -j DENY | > | > What you need to do is specify the port to allow, somehow. ssh uses | > port 22 unless you do something strange to make it use a different | > port. | > | > With iptables I use the command : | > | > iptables -A INPUT -p tcp --dport ssh -j ACCEPT | > | > This says that in the input chain, for tcp packets, if the port number | > matches ssh in /etc/services then accept the packet regardless of IP | > addresses. Hopefully this will give you a pointer towards the | > necessary ipchains options. You may need to specify an integer rather | > than a name defined in /etc/services for ipchains, I don't know for | > sure. | | Hi.. | | My ssh is running on port 22. | I figured my original ipchain command will block everything | except ssh. (thus I used the "!" with ssh) | | Do you think its best to change the state of the input chain to DENY and | then just allow ssh ?
I think it is mostly a matter of preference. It is usually recommended to block everything (a default of DENY) and then open just what you need. Be sure that you aren't blocking any outgoing packets (server responses) and ICMP packets (TCP uses ICMP packets for some control information). <response to non-list message> Yes, I figured you were using a 2.2 kernel because you were using ipchains. iptables is used by the 2.4 kernels. </response> It would probably be a good idea to add some logging rules (with ipchains that means to match the packet, but don't send it anywhere) so that you will see some messages in /var/log/syslog and/or /var/log/messages. Make sure that your client side's packet actually have a route to the server too (traceroute). -D
