n-ai inteles, mai citeste o data mesajul initial. el vrea sa taie accesul pe ssh oricui din retea catre orice server de ssh din afara, indiferent de portul pe care ruleaza. in cazul asta pe tine nu te intereseaza /etc/ssh?/sshd_config pentru ca nu ai acces la el. nu ai cum sa tai in functie de porturi.
cititi nene cu atentie mesajele, nu va repeziti sa raspundeti la problema inversa celei puse. "Live to Win, Dare to Fail" - James Hetfield > stiu, era doar un exemplu ce am dat eu > nu-i nevoie sa sariti imediat > ca daca stiu sa scriu 3 linii in iptables poate stiu si sa modific un > cacat de port in /etc/ssh2/sshd_config > > sau sa ii dau direct la server sa porneasca cu parametru -q port > de exemplu /usr/sbin/sshd -q 1234 > > Tuesday, October 14, 2003, 5:12:07 PM, you wrote: > > DU> nu toate serverele de ssh ruleaza pe portul 22. eu de exemplu am > DU> instalat azi unul pe portul 57233 iar miine o sa il mut pe 23581. > DU> nu ai cum sa filtrezi ceva variabil, trebuie sa te legi de continutul > DU> pachetelor care initializeaza conexiunea. > > >> iptables -A FORWARD -p tcp --dport 22 -j DROP > >> iptables -I FORWARD -s ip_care_are_voi_1 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_2 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_3 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_4 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_5 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_6 --dport 22 -j ACCEPT > >> iptables -I FORWARD -s ip_care_are_voi_7 --dport 22 -j ACCEPT > >> ... > >> > >> si ai rezolvat problema > >> nu se conecteaza pe 22 afara numai cei care au voie > >> > >> > >> Tuesday, October 14, 2003, 5:00:20 PM, you wrote: > >> > >> IA> Nu vreau sa las pe oricine sa iasa din reteaua interna pe ssh > DU> inspre alte > >> IA> servere. > >> > >> IA> ----- Original Message ----- > >> IA> From: "Knight" <[EMAIL PROTECTED]> > >> IA> To: "Ioan Alin" <[EMAIL PROTECTED]> > >> IA> Sent: Tuesday, October 14, 2003 5:54 PM > >> IA> Subject: [rlug] Re: ICQ & YM and firewall > >> > >> > >> >> Ioan, > >> >> > >> >> adica tu nu vrei sa lasi pe oricine sa iasa din reteaua interna pe > DU> ssh > >> >> inspre alte servere? > >> >> sau nu vrei sa se poata comecta la tine la server pe ssh numai de > DU> la > >> >> anumite ip-uri? > >> >> > >> >> Tuesday, October 14, 2003, 4:46:39 PM, you wrote: > >> >> > >> >> IA> Problema este ca nu stiu ip-ul destinatie (ar fi usor). Tot ce > DU> as vrea > >> IA> este, > >> >> IA> ca din router, sa tai clientii de ssh de pe ip-uri .(cand > DU> cineva vrea > >> IA> sa > >> >> IA> faca o conexiune pe un server oarecare de ssh). > >> >> > >> >> IA> ----- Original Message ----- > >> >> IA> From: "Radu" <[EMAIL PROTECTED]> > >> >> IA> To: <[EMAIL PROTECTED]> > >> >> IA> Sent: Wednesday, October 15, 2003 2:41 AM > >> >> IA> Subject: [rlug] Re: ICQ & YM and firewall > >> >> > >> >> > >> >> >> Frate Alin, > >> >> >> > >> >> >> Din ce imi aduc aminte, dar nu sunt sigur, trebuie totusi sa > >> IA> verifici. > >> >> >> Urmatoarele: > >> >> >> Daca este router: > >> >> >> iptables -A FORWARD -s <ip pe cine vrei sa arzi> -d > DU> <ip-ul > >> >> >> serverului ssh> -j DROP > >> >> >> Daca vrei de pe un anume host sa nu permiti iesirea: > >> >> >> iptables -A OUTPUT -d <ip-ul serverului ssh> -j DROP > >> >> >> Chestiile de mai sus taie tot traficul catre serverul respectiv. > >> >> >> > >> >> >> > >> >> >> Cu plecaciuni, maestre. > >> >> >> > >> >> >> ----- Original Message ----- > >> >> >> From: "Ioan Alin" <[EMAIL PROTECTED]> > >> >> >> To: <[EMAIL PROTECTED]> > >> >> >> Sent: Tuesday, October 14, 2003 7:32 AM > >> >> >> Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > >> >> >> > >> >> >> > > >> >> >> > Pe mie m-ar interesa sa tai si toate iesirile catre un server > DU> de ssh > >> >> >> .(orice > >> >> >> > port, nu neaparat 22). > >> >> >> > > >> >> >> > ----- Original Message ----- > >> >> >> > From: "Radu" <[EMAIL PROTECTED]> > >> >> >> > To: <[EMAIL PROTECTED]> > >> >> >> > Sent: Wednesday, October 15, 2003 2:29 AM > >> >> >> > Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > > >> >> >> > > >> >> >> > > Frate, nu este nici o problema. > >> >> >> > > Ideea este cum s-ar putea face totusi cu nenorocitul ala de > DU> yahoo > >> >> >> > > messenger... ca si pe mine ma streseaza treaba asta. > >> >> >> > > Si nu am nici prea multe idei... in directia asta... > >> >> >> > > Poate s-a ocupat cineva totusi... doar de blocarea lui yahoo > >> IA> messenger > >> >> >> > ...? > >> >> >> > > > >> >> >> > > Radu. > >> >> >> > > ----- Original Message ----- > >> >> >> > > From: "Knight" <[EMAIL PROTECTED]> > >> >> >> > > To: "Radu" <[EMAIL PROTECTED]> > >> >> >> > > Sent: Tuesday, October 14, 2003 8:23 AM > >> >> >> > > Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > > > >> >> >> > > > >> >> >> > > > Radu, > >> >> >> > > > > >> >> >> > > > cred ca mia culpa > >> >> >> > > > da de unde dracu am citit eu cu ipchains ca stiu sigur ca > DU> asa am > >> >> IA> citit > >> >> >> > > > what so ever > >> >> >> > > > sorry > >> >> >> > > > > >> >> >> > > > Wednesday, October 15, 2003, 2:05:25 AM, you wrote: > >> >> >> > > > > >> >> >> > > > R> Frate Knight, > >> >> >> > > > > >> >> >> > > > R> Ar fi bine sa stai sa te uiti cu atentie la > DU> threaduri. > >> >> IA> Sarmanul > >> >> >> > om > >> >> >> > > > R> intrebase pentru iptables. Asa, de chestie doar, > DU> uita-te in > >> IA> urma > >> >> IA> sa > >> >> >> > > vezi ca > >> >> >> > > > R> dai putin aiurea cu raspunsurile. Chestia cu deschisul > >> IA> ochilor... > >> >> >> > este > >> >> >> > > > R> foarte adevarata. Incepe chiar din primul mail.... > >> >> >> > > > R> Din ratiuni de documentare... il listez mai jos... > DU> sper sa > >> IA> nu > >> >> >> te > >> >> >> > > superi > >> >> >> > > > R> pe mine, dar mi se pare ca scrie iptables. Stiu asta > DU> pentru ca > >> IA> am > >> >> >> > > terminat > >> >> >> > > > R> clasa I premiant... :)) > >> >> >> > > > > >> >> >> > > > R> Sa fi cuminte, > >> >> >> > > > R> Radu. > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > >> >> >> > > >> >> >> > >> >> > >> > R>>>> ------------------------------------------------------------------ - > DU> ----- > >> IA> - > >> >> >> > > -- > >> >> >> > > > R> Salut, > >> >> >> > > > > >> >> >> > > > R> Am un script de firewall, facut cu iptables, pe > DU> un > >> >> IA> gateway > >> >> >> > care > >> >> >> > > are > >> >> >> > > > R> ca politica pe chain-ul forward "DROP" si permite > >> IA> userilor > >> >> IA> din > >> >> >> > > > R> reteua locala sa se conecteze, in internet, doar > DU> la > >> >> IA> porturile > >> >> >> > 80, > >> >> >> > > 25, > >> >> >> > > > R> 110. > >> >> >> > > > R> Ideea mea ar fi ca lumea din reteua locala sa nu > DU> poata > >> IA> iesi > >> >> >> > decat > >> >> >> > > pe > >> >> >> > > > R> web si pe mail. > >> >> >> > > > R> Problema apare cand ICQ sau YM foloseste orice > DU> port > >> >> IA> pentru > >> >> >> a > >> >> >> > > se > >> >> >> > > > R> conecta in exterior si se leaga la o multitudine > DU> de > >> IA> adrese. > >> >> >> > Astfel > >> >> >> > > > R> din reteua locala se poate face chat in voie. > >> >> >> > > > R> Imi poate spune cineva cum se rezolva beleua > DU> asta ? > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > R> -- > >> >> >> > > > R> Multumesc anticipat, > >> >> >> > > > R> Liviu > DU> mailto:[EMAIL PROTECTED] > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > R> --- > >> >> >> > > > R> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > > >> >> >> > > > >> >> >> > > >> >> >> > >> >> > >> > R>>>> ------------------------------------------------------------------ - > DU> ----- > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > R> ----- Original Message ----- > >> >> >> > > > R> From: "Knight" <[EMAIL PROTECTED]> > >> >> >> > > > R> To: "Radu" <[EMAIL PROTECTED]> > >> >> >> > > > R> Sent: Tuesday, October 14, 2003 7:55 AM > >> >> >> > > > R> Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > >> Radu, > >> >> >> > > > >> > >> >> >> > > > >> tu ai citit macar ce am scris? > >> >> >> > > > >> omu care a postat threadul a cerut help pentru ipchains > >> >> >> > > > >> asa ca nu sari la mine > >> >> >> > > > >> chestie de alfabet pe dracu, chestie de urmarit un > DU> thread si > >> IA> de > >> >> >> > > > >> deschis ochii larg :)) > >> >> >> > > > >> > >> >> >> > > > >> Wednesday, October 15, 2003, 1:48:55 AM, you wrote: > >> >> >> > > > >> > >> >> >> > > > >> R> Mosule, IPTABLES. Nu ipchains. > >> >> >> > > > >> R> Chestie de alfabet. > >> >> >> > > > >> R> ----- Original Message ----- > >> >> >> > > > >> R> From: "Knight" <[EMAIL PROTECTED]> > >> >> >> > > > >> R> To: "Dekxter X." <[EMAIL PROTECTED]> > >> >> >> > > > >> R> Sent: Tuesday, October 14, 2003 7:01 AM > >> >> >> > > > >> R> Subject: [rlug] Re: ICQ & YM and firewall > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> >> Dekxter, > >> >> >> > > > >> >> > >> >> >> > > > >> >> da dar omu a specificat ca vrea ipchains > >> >> >> > > > >> >> :((((((( > >> >> >> > > > >> >> cu -y cred ca era in ipchains :)) in loc de --syn > >> >> >> > > > >> >> > >> >> >> > > > >> >> Monday, October 13, 2003, 6:32:40 PM, you wrote: > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> va trebui sa modifici FORWARD cu: > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> iptables --policy FORWARD DROP > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --dport > >> >> >> > 5 --jump > >> >> >> > > > R> ACCEPT > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --dport > >> >> >> > 0 --jump > >> >> >> > > > R> ACCEPT > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --dport > >> >> >> > 110 --jump > >> >> >> > > > R> ACCEPT > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --dport > >> >> >> > 143 --jump > >> >> >> > > > R> ACCEPT > >> >> >> > > > >> >> DX> # aceste 4 reguli sunt pentru acces la orice > DU> adresa > >> IA> pentru > >> >> >> > > > >> >> DX> # mail prin POP3, IMAP, send shi www > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> iptables -A FORWARD -d > DU> 192.168.0.0/24 --syn --jump DROP > >> >> >> > > > >> >> DX> iptables -A FORWARD -s > DU> 192.168.0.0/24 --syn --jump DROP > >> >> >> > > > >> >> DX> # aceste 2 reguli resping orice tentativa de > DU> initiere a > >> >> IA> unei > >> >> >> > > > R> conectari > >> >> >> > > > >> >> DX> # in reteaua locala sau de la reteaua locala > DU> spre > >> IA> internet > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> iptables -A FORWARD -d 192.168.0.0/24 -p > DU> tcp --jump > >> IA> ACCEPT > >> >> >> > > > >> >> DX> # acesta regula accepta orice alt tip de > DU> conexiune tcp > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> # man iptables > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> [!] --syn > >> >> >> > > > >> >> DX> Only match TCP packets with the SYN bit set > DU> and > >> IA> the > >> >> IA> ACK > >> >> >> > and > >> >> >> > > > R> RST > >> >> >> > > > >> >> DX> bits cleared. Such packets are used to > DU> request TCP > >> >> >> > > connection > >> >> >> > > > >> >> DX> initiation; for example, blocking such packets > DU> coming > >> IA> in > >> >> IA> an > >> >> >> > > > R> interface > >> >> >> > > > >> >> DX> will prevent incoming TCP connections, but > DU> outgoing TCP > >> >> >> > > connections > >> >> >> > > > >> R> will > >> >> >> > > > >> >> DX> be unaffected. > >> >> >> > > > >> >> DX> It is equivalent to --tcp-flags SYN,RST,ACK SYN. > DU> If the > >> >> IA> "!" > >> >> >> > flag > >> >> >> > > > >> >> DX> precedes the "--syn", the sense of the option is > >> IA> inverted. > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> ps: daca greshesc va rog sa ma corectatzi ... > >> >> >> > > > >> >> > >> >> >> > > > >> >> DX> Liviu wrote: > >> >> >> > > > >> >> > >> >> >> > > > >> >> >> Salut, > >> >> >> > > > >> >> >> Ideea mea ar fi ca lumea din reteua locala > DU> sa nu > >> IA> poata > >> >> >> > iesi > >> >> >> > > > R> decat > >> >> >> > > > >> R> pe > >> >> >> > > > >> >> >> web si pe mail. > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> -- > >> >> >> > > > >> >> Best regards, > >> >> >> > > > >> >> Knight > >> >> >> > > > >> >> > >> >> >> > > > >> >> This message was brought to you by the numbers 0 and > DU> 1. > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> >> --- > >> >> >> > > > >> >> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > >> >> > >> >> >> > > > >> >> > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> R> --- > >> >> >> > > > >> R> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> -- > >> >> >> > > > >> Best regards, > >> >> >> > > > >> Knight > >> >> >> > > > >> > >> >> >> > > > >> This message was brought to you by the numbers 0 and 1. > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > >> --- > >> >> >> > > > >> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > >> > >> >> >> > > > >> > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > R> --- > >> >> >> > > > R> Detalii despre listele noastre de mail: > DU> http://www.lug.ro/ > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > -- > >> >> >> > > > Best regards, > >> >> >> > > > Knight > >> >> >> > > > > >> >> >> > > > This message was brought to you by the numbers 0 and 1. > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > --- > >> >> >> > > > Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > >> >> >> > > > >> >> >> > > --- > >> >> >> > > Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> >> > > > >> >> >> > > >> >> >> > > >> >> >> > --- > >> >> >> > Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> > >> >> >> --- > >> >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> >> > >> >> > >> >> > >> >> IA> --- > >> >> IA> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> > >> >> > >> >> > >> >> -- > >> >> Best regards, > >> >> Knight > >> >> > >> >> This message was brought to you by the numbers 0 and 1. > >> >> > >> >> > >> >> --- > >> >> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> >> > >> > >> > >> IA> --- > >> IA> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> > >> > >> > >> -- > >> Best regards, > >> Knight > >> > >> This message was brought to you by the numbers 0 and 1. > >> > >> > >> --- > >> Detalii despre listele noastre de mail: http://www.lug.ro/ > >> > >> > > > > DU> --- > DU> Detalii despre listele noastre de mail: http://www.lug.ro/ > > > > -- > Best regards, > Knight > > This message was brought to you by the numbers 0 and 1. > > > --- > Detalii despre listele noastre de mail: http://www.lug.ro/ > > --- Detalii despre listele noastre de mail: http://www.lug.ro/
