On Tue, 29 Jun 2010, bruce bruce wrote:
Thanks for that Steve. This works. However, what if I do this (would I
block myself from SSH 22):
--------------------------------------------------------------
sudo iptables\
--append INPUT\
--match tcp\
--protocol tcp\
--dport 22\
--source 0.0.0.0\
--jump ACCEPT
--------------------------------------------------------------
sudo iptables\
--append INPUT\
--source 87.230.90.0/24\
--jump DROP
--------------------------------------------------------------
Will that block all other traffic to the server and only allow SSH 22? I
don't want to block myself out and it's very important because this is a
remote server. If you can confirm above then I can add the legit IPs one
by one after that I guess.
I'm not a fan of executing iptables from the command line, nor am I an
iptables expert.
A very simple /etc/sysconfig/iptables would look like:
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# established connections
--append INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
# accept SSH from bruce bruce
--append INPUT --match tcp --protocol tcp --dport 22 --source a.b.c.d --jump
ACCEPT
# log everything else
--append INPUT --protocol all --jump LOG
# drop everything else
--append INPUT --protocol all --jump DROP
COMMIT
This should get you started.
Any time you are fiddling with iptables, it would be prudent to add
something like this to root's crontab:
# Min hour DOM month DOW command
*/05 * * * * /etc/init.d/iptables stop
In case you "blow it," you can get back in within 5 minutes.
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards [email protected] Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
