Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] IPtables question
Date: Wed, 31 Jan 2007 23:35:44
In Reply to: Re: [gentoo-user] IPtables question by Albert Hopkins
1 On Wednesday 31 January 2007 20:56, Albert Hopkins wrote:
2 > On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote:
3 > > List members -
4 > >
5 > > I have a small home server that I have connected to the internet
6 > > through a linksys router and cable modem. The linksys router is
7 > > currently forwarding all ssh traffic to my gentoo box. What I would
8 > > like to do is set up iptables to only allow ssh logins from a small
9 > > number of internet hosts, and to reject and log all other ssh
10 > > attempts. Can someone please help me out with this. All of the
11 > > tutorials and documentation that I have found are setting up a fully
12 > > functioning firewall / NAT / proxy, and I think that is a little
13 > > overkill for my needs.s
14 >
15 > If you don't want the whole iptables suite you might want to consider
16 > good ole hosts.allow/hosts.deny as an alternative. They work fine with
17 > sshd if you have tcpwrappers enabled.
19 It depends how secure you want your set up to be. I always suggest to disable
20 passwd authentication and enable public key authentication, after you copy &
21 paste each client's public key in the file ~/.ssh/authorized_keys. Any
22 passwd cracking attacks will simply fail. I would also suggest that you move
23 your sshd port from 22 to a higher number. All/most of these bots scanning
24 port 22 will now leave you alone. Finally, you can set up additional layers
25 like allow/deny users, MAC addresses, etc. While you're at it, don't forget
26 disabling root logins.
28 If you want to introduce diverse protection then iptables (and as previously
29 suggested hosts.allow/hosts.deny) is an option. In your iptables script (or
30 saved set of iptables rules) add something like:
32 iptables -A INPUT -i eth0 -p tcp -s <client_ip_address> -m tcp --dport 22 -d
33 <server_LAN_ip_address> -j ACCEPT
35 Of course, I suggest that you change port 22 in the line above to a higher
36 number 'free' port. Your final catch-all rule at the bottom of your iptables
37 will drop any packets (on any port) from hosts other than the clients you
38 specified in my line above.
40 Finally, you can repeat this in your router's firewall rules, assuming that
41 you can specify WAN ip addresses (I know that you can in my hardware router,
42 but don't know in yours).
44 If any one manages to break in to the server through such a sshd setup, then
45 they bl**dy well deserve it!
47 HTH.
48 --
49 Regards,
50 Mick