| 1 |
Hi, |
| 2 |
|
| 3 |
On Wed, 9 Aug 2006 18:54:45 +0000 (UTC) |
| 4 |
James <wireless@×××××××××××.com> wrote: |
| 5 |
|
| 6 |
> Where the mac address xx...xx is the system allowed in, via ssh |
| 7 |
> and the ip.address is that of the destination (/24 based) host |
| 8 |
> The rule works well when packets have to traverse |
| 9 |
> a firewall/router as mac addresses do not get propagated (I think). |
| 10 |
|
| 11 |
No, of course not. The incoming packet will have the MAC of the router |
| 12 |
instead. Only ethernet frames carry a MAC, so there's no MAC in IP |
| 13 |
tunnels, too. |
| 14 |
|
| 15 |
> However, when I use similar syntax to prevent a system on the same |
| 16 |
> local (ethernet) segment from being able to ssh into a local system, |
| 17 |
> it does prevent ssh access, as expected. Granted MAC addresses |
| 18 |
> can be foiled, especially on the same segment, but how do I make this |
| 19 |
> rule work?: On a local segemnt how would I modify the syntax so |
| 20 |
> that only a select machine (maybe IP + MAC) could access a host, |
| 21 |
> running iptables, via ssh? |
| 22 |
|
| 23 |
Hm, by adding "-s <source IP>"? And of course, you need to change |
| 24 |
INPUT's policy to REJECT or DROP, using iptables -P INPUT DROP. Note |
| 25 |
that you probably want some rules allowing traffic local on that |
| 26 |
machine, so also allow packets coming from "lo". |
| 27 |
|
| 28 |
But you already mentioned it: There's not much point in blocking access |
| 29 |
this way since MAC addresses can as well be spoofed as IP addresses. |
| 30 |
Are you suffering from DOS attacks on your SSH server? |
| 31 |
|
| 32 |
-hwh |
| 33 |
-- |
| 34 |
gentoo-user@g.o mailing list |
Archives