1 |
On 8/10/06, James <wireless@×××××××××××.com> wrote: |
2 |
> I need a rule on the 3 (nic) interface firewall so that only |
3 |
> ssh from the LAN is allowed to the firewall or sytems (web |
4 |
> server, mail dns) in the DMZ. Only one static ip is routable |
5 |
> to this site. SSH from the outside should be completely blocked. |
6 |
> |
7 |
> Any ideas, examples or thoughts? |
8 |
|
9 |
Just I guess as I haven't tried this: |
10 |
|
11 |
--- |
12 |
IF_INTERNET=eth0 |
13 |
IF_DMZ=eth1 |
14 |
IF_LAN=eth2 |
15 |
|
16 |
# allow ssh connections from LAN to us |
17 |
iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT |
18 |
# allow routing of ssh connections from LAN to DMZ hosts |
19 |
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 22 -j ACCEPT |
20 |
# deny all other ssh connections |
21 |
iptables -A INPUT -p tcp --dport 22 -j DROP |
22 |
iptables -A FORWARD -p tcp --dport 22 -j DROP |
23 |
--- |
24 |
|
25 |
HTH, |
26 |
-Richard |
27 |
-- |
28 |
gentoo-user@g.o mailing list |