From: Ralph Blach <rblach@intrex.net>
To: Richard Horton <richard.horton@solstans.co.uk>
Cc: netfilter@vger.kernel.org
Subject: Re: correct net fitler rule
Date: Sat, 31 Oct 2009 15:37:01 -0400 [thread overview]
Message-ID: <4AEC91DD.7040009@intrex.net> (raw)
In-Reply-To: <56378e320910280553o7e7f246fk8f3dbe5f6f7fb5c8@mail.gmail.com>
I am not so good at writing what I wish to accomplish
I am often not at home and wish to access my system. That means when I
ssh into my machine, it will be from
a ip address of a hotels or other ISP network.
Internternet
linksys 10.0.0.0/255.255.255.0
-------------------| firewall with portt 22 forwarded |
----------------|linux server|------------
For my home machine, I wish to block traffic from network which I see in
my /var/log/secure file have attached my machine.
( By now I have a long list, I anybody wants it)
But for certain well know address, like the 10.0.0.0/255.255.255.0 and
the nameserver addresses, I just wish to accept those
There seens to be a never ending stream of break in attempts.
in sshd, I have all dened all uses except a 2 users with Complex names
and passwords.
so allow the internal local network.
allow the nameservers.
deny attacking networks.
Richard Horton wrote:
> 2009/10/28 Ralph Blach <rcblach@gmail.com>:
>
>> Ok,
>>
>>
> [snip]
>
>> Since I get attached, I want to drop and log from any attaching network.
>>
>> This happens on a daily bassis, so I am constally updating the list.
>>
>> What is the best set of rules to accomplish this
>>
>
> If you only wish to allow traffic from your internal network and the
> external nameservers then its simple.
>
> set your iptables policies, as said earlier, to DROP.
>
> Then create explicit rules to accept the traffic you want in each
> chain as needed.
> If you want to log any DROP traffic then just make the LAST rule in
> each chain a logging rule...
>
> If you use DROP as a policy and only allow specific traffic you will
> not have to keep updating your rule set to block additional networks.
>
>
>
next prev parent reply other threads:[~2009-10-31 19:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-28 4:00 correct net fitler rule Ralph Blach
2009-10-28 10:45 ` Mart Frauenlob
2009-10-28 12:49 ` Ralph Blach
2009-10-28 12:53 ` Richard Horton
2009-10-31 19:37 ` Ralph Blach [this message]
2009-10-31 23:44 ` Richard Horton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AEC91DD.7040009@intrex.net \
--to=rblach@intrex.net \
--cc=netfilter@vger.kernel.org \
--cc=richard.horton@solstans.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.