From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Turnbull Subject: Re: SSH allow only form selected IP' Date: Sat, 14 Aug 2004 21:42:58 +1000 Sender: linux-admin-owner@vger.kernel.org Message-ID: <411DFAC2.9050405@lovedthanlost.net> References: <20040814163121.5491.SAVAGE-GARDEN@hanikamail.com> <411DEF5D.5040903@lovedthanlost.net> <20040814171609.5498.SAVAGE-GARDEN@hanikamail.com> Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms040906020206000908090904" Return-path: In-Reply-To: <20040814171609.5498.SAVAGE-GARDEN@hanikamail.com> List-Id: To: Kev Cc: linux-admin@vger.kernel.org, linux-config@vger.kernel.org This is a cryptographically signed message in MIME format. --------------ms040906020206000908090904 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Kev wrote: >>e your firewall rules. Something like: >> >>iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s >>192.168.0.0/24 --dport 22 -j ACCEPT >>iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d >>192.168.0.0/24 --sport 22 -j ACCEPT >> >>Where 192.168.0.0/24 is the range you are allowing. >> >> > >anyway i can do this with the SSH config ? > >i can use the iptabel rules for 2-3 IP rangers ? > > Have a read of: http://www.oreilly.com/catalog/sshtdg/chapter/ch08.html#45775 The firewall rules yes you can do more than one subnet: iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.0.0/24 --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 192.168.0.0/24 --sport 22 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -s 10.0.0.0/24 --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -d 10.0.0.0/24 --sport 22 -j ACCEPT etc etc Regards James --------------ms040906020206000908090904 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH+TCC AlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYxNTI4WhcNMDUwNTIyMDYxNTI4 WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZIhvcNAQkBFhdq YW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx2v2 vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU12B00fmamXeM1txF/QxgGXI38 Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6+s1ll2YZ23piQRPkV5iDirIZ k3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBswGYEXamFtZXNAbG92ZWR0aGFu bG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQDCVRZxHh7SMS0t+OJ9 rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVReAGTktz48ilbuMhXAps2ojF+ EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVwsHQ3bbSSCSoNL+1L4v2Ncr4kW vBMAslVo/zCCAlcwggHAoAMCAQICAwxcXDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJa QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTIyMDYxNTI4WhcNMDUw NTIyMDYxNTI4WjBJMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSYwJAYJKoZI hvcNAQkBFhdqYW1lc0Bsb3ZlZHRoYW5sb3N0Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAx2v2vUgZ5zogSrElx4VilKyCm0yfHJ3Mqe4CSp/7VlfTgwonPqU12B00fmamXeM1 txF/QxgGXI38Kwf3iS2aVy9VSL1ckNlcfQEHJt7+4UdKeEttL8Z65BXxPCL6+s1ll2YZ23pi QRPkV5iDirIZk3PbKIz7TVLGzg1QgV6NYlUCAwEAAaM0MDIwIgYDVR0RBBswGYEXamFtZXNA bG92ZWR0aGFubG9zdC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQDCVRZx Hh7SMS0t+OJ9rehq9WFgj+5Fv4EsYM+riXx8tqGwBDGHK0e/+/9UIOl2WsVReAGTktz48ilb uMhXAps2ojF+EgEzmmk/HRkrk9mT0fZw4WEj6LmESKatKkyE7+FmcZEdnVwsHQ3bbSSCSoNL +1L4v2Ncr4kWvBMAslVo/zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy dmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTEr MCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcw MDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h aWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065ypla HmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FW y688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2 oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3Js MAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0x MzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYf qi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9l X5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggK6MIICtgIBATBp MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDFxcMAkG BSsOAwIaBQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTA0MDgxNDExNDI1OFowIwYJKoZIhvcNAQkEMRYEFF/Wx+pbKMVxxCz4PprNVDCr2b+nMFIG CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMXFwwegYLKoZIhvcNAQkQ Agsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5 KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQID DFxcMA0GCSqGSIb3DQEBAQUABIGAfBkUznQIFztu1M4q9GfC2lgvbdWttZxfl6NfW6hiLSNS vvTM8tkrhQrVUeMI5HtSliCgC0wEe6tXKsely0czWPeWK50HcD46c7nNVwL9Zugj+YRfrma/ 4jt0QxGbF2Ibk20ySc/rnFTguGYVDcTYl/QX0kuB21kKrZZWMiLsUWkAAAAAAAA= --------------ms040906020206000908090904--