| 1 |
On 8/10/06, James <wireless@×××××××××××.com> wrote: |
| 2 |
> I need a rule on the 3 (nic) interface firewall so that only |
| 3 |
> ssh from the LAN is allowed to the firewall or sytems (web |
| 4 |
> server, mail dns) in the DMZ. Only one static ip is routable |
| 5 |
> to this site. SSH from the outside should be completely blocked. |
| 6 |
> |
| 7 |
> Any ideas, examples or thoughts? |
| 8 |
|
| 9 |
Just I guess as I haven't tried this: |
| 10 |
|
| 11 |
--- |
| 12 |
IF_INTERNET=eth0 |
| 13 |
IF_DMZ=eth1 |
| 14 |
IF_LAN=eth2 |
| 15 |
|
| 16 |
# allow ssh connections from LAN to us |
| 17 |
iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT |
| 18 |
# allow routing of ssh connections from LAN to DMZ hosts |
| 19 |
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 22 -j ACCEPT |
| 20 |
# deny all other ssh connections |
| 21 |
iptables -A INPUT -p tcp --dport 22 -j DROP |
| 22 |
iptables -A FORWARD -p tcp --dport 22 -j DROP |
| 23 |
--- |
| 24 |
|
| 25 |
HTH, |
| 26 |
-Richard |
| 27 |
-- |
| 28 |
gentoo-user@g.o mailing list |
Archives