Hi. On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote: > Britton Kerin <britton.ke...@gmail.com> writes: > > > I have a system that I would like to make accessible only by ssh. > > > > No apache telnet ftp anything else. > > > > What is the easiest way to achieve this? It came from a vendor with > > a slew of package of all sorts, so I don't even know everything that > > I want to remove. > > > Simplest solution is to use iptables to reject all traffic except for > port 22: > > iptables -I INPUT -p tcp --dport 22 -j ACCEPT > iptables -P INPUT DROP > > Of course, this depends on none of the shell users having root access.
The simplest *working* solution is to use iptables this way: iptables -F INPUT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT iptables -P INPUT DROP iptables -F OUTPUT iptables -P OUTPUT ACCEPT Your rules will block anything on the interface lo and outbound traffic, which is just asking for all kinds of trouble. And blocking icmp is just rude ;) Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141218101453.ga13...@d1696.int.rdtex.ru
