1 |
Richard Fish <bigfish <at> asmallpond.org> writes: |
2 |
|
3 |
> > I need a rule on the 3 (nic) interface firewall so that only |
4 |
> > ssh from the LAN is allowed to the firewall or sytems (web |
5 |
> > server, mail dns) in the DMZ. Only one static ip is routable |
6 |
> > to this site. SSH from the outside should be completely blocked. |
7 |
|
8 |
> # allow ssh connections from LAN to us |
9 |
> iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT |
10 |
> # allow routing of ssh connections from LAN to DMZ hosts |
11 |
> iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 22 -j ACCEPT |
12 |
> # deny all other ssh connections |
13 |
> iptables -A INPUT -p tcp --dport 22 -j DROP |
14 |
> iptables -A FORWARD -p tcp --dport 22 -j DROP |
15 |
|
16 |
|
17 |
Richard, |
18 |
|
19 |
These rules worked like a charm. I had something similar, but had |
20 |
the syntax messed up. |
21 |
thx. |
22 |
|
23 |
Now I have ONE big problem. |
24 |
Spammers. (I think). |
25 |
|
26 |
Running a sniffer between my firewall and the cable box's |
27 |
ethernet (single static IP), |
28 |
I see: |
29 |
|
30 |
hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 |
31 |
myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 |
32 |
hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 |
33 |
myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 |
34 |
hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 |
35 |
myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 |
36 |
|
37 |
Last night I saw this for a while and then a storm of smtp traffic. |
38 |
This site does not even run a mail server and all systems where |
39 |
shutdown except for the firewall and the sniffer. |
40 |
|
41 |
This explains why this site is listed as a spammer site... |
42 |
Somebody has been reflecting email off of this site for some time, |
43 |
I suspect. |
44 |
|
45 |
Got any idea for a (iptables) syntax to stop this? Do I need to |
46 |
reinstall the sysetm (gentoo-hardened firewall)??????? |
47 |
|
48 |
thoughts and ideas are welcome. |
49 |
|
50 |
-- |
51 |
gentoo-user@g.o mailing list |