Rick,
I do. I don't know whether it makes any difference or not your using the
multiport keyword (I would imagine not), but I use three '-m' statements
on one line as in;
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m limit --limit 2/minute
--limit-burst 2 -m state --state NEW -j ACCEPT
Without wishing to join the debate others have initiated about DNS &
NTP, etc., but I would suggest that if you are going to open 22 up to
the big bad world, I would at least rate limit the connection[1] so as
to avoid DOS, dictionary attacks and the like.
Likewise, as mentioned previously by someone else, a very limited ping
enables connectivity checking.
-A INPUT -i eth0 -p icmp --icmp-type any -m state --state NEW -j REJECT
--reject-with icmp-host-prohibited
Finally, the second rule will still presently allow established
connections from ethY, ethZ, ethA, ethB, ethC (you get the picture) IF
they exist on the host.
[1] Depending upon your needs.
------------------------------------------------------------------------
Kind Regards
Kyle
[email protected] wrote:
Kyle apologies for the top posting - mail2web is a bit dumb as this.
Do you mean that the script should look like this
iptables -A INPUT -m state --state NEW -m multiport -p tcp --dport www,ssh -i
ethX -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o ethX -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ethX -j DROP
Can you have two -m statements on the one line?
Regards,
Rick
No guarantees, as I'd have to think about it a bit more, but....
I would think you might want to add '-m state --state NEW' to the first
rule otherwise the 2nd rule is irrelevant.
The 2nd rule will presently allow ALL established connections from
anywhere that managed to get in to the machine (from other interfaces as
well)
If you want B to talk to A ONLY, add a '-o ethX' to the 3rd rule.
Then you also need a 'iptables -A INPUT -j DROP' (depending line above,
add a '-i ethX' to this)
I think...
------------------------------------------------------------------------
Kind Regards
Kyle
Rick Phillips wrote:
I am not very good at IPTables and was seeking opinions as to whether
this formula would work to fully block a connection from computer A to B
but allow ssh and web only from B to A. The tables would reside on A.
iptables -A INPUT -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ethX -j DROP
The network is off site and quite a distance away with no external admin
so I would like to have it "right" before I visit.
Thanks in advance.
Rick
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
