Re: no ssh on eth0

[varun <varun_saa@rediffmail.com>]

Thanks all, for the detailed
discussion.

Varun


On Sun, 2006-07-30 at 19:17 +0200, former03 | Baltasar Cevc wrote:
> Hi Pascal, hi everybody,
> 
> > Does this mean you wanted to reply to the list instead of me alone ?
> >
> >>>>> iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP
> >>>
> >>> If the goal is to prevent *incoming* SSH connections on eth0.
> >> Outgoing would be *something like*
> >>    iptables -A OUTPUT -i eth0 --dport 22 -j DROP (connections from 
> >> the box to outerspace)
> >>    iptables -A OUTPUT -i eth0 --dport 22 -j DROP (from LAN to 
> >> outerspace if the box routes that)
> >
> > In the second rule I think you meant FORWARD instead of OUTPUT.
> >
> >>>>     ListenAddress 192.168.222.3
> >>>
> >>> This alone is not enough to prevent connections on eth0. You can 
> >>> connect to any host address on any interface. E.g. connect to eth1 
> >>> address on eth0 interface and vice versa.
> >> Well, if it's the common setup of eth0 <some "real" non-private ip) 
> >> and a private ip for eth1 it will work more or less as expected, as 
> >> packets won't find the route to 192.168.222.3 (to keep the example 
> >> IP), because it is just valid in private networks.
> >
> > It won't work when the client is on the same network as eth0, or can 
> > alter the routing to the server. Your assertion relies on a third 
> > party's (the ISP) routing and on the assumption that only packets with 
> > the public IP address can hit eth0. I wouldn't like my security to 
> > rely on a third party. Would you ?
> >
> >> From my point of view the sshd_config solution is nicer in any case, 
> >> you should add some rules like the followin on a WAN-LAN router to 
> >> prevent (some) spoofed packets from entering - they will prevent the 
> >> connection here (if SSH is bound internally only):
> >> iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
> >> iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP (I haven't 
> >> verified this /12 mask, you should check the RFCs to be sure)
> >
> > The /12 prefix length is correct.
> >
> >> iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
> >> iptables -A INPUT -i eth1 -s <external IP> -j DROP
> >> [These routes mean that packets with local adresses should not come 
> >> from outside and vice versa].
> >
> > But these rules don't prevent connecting from a public source address 
> > to the private IP address on the public interface.
> You're right, of course - I thought of a firewall situation with NAT - 
> in that case I'd add
> iptables -A INPUT -i eth0 -d 192.168.0.0/16 -j DROP.
> 
> That said, I really thought too much about a natted link - so I correct 
> myself and say:
> I would not only do a packet filter block but also (which was the part 
> I forgot to say) change the listening address, to have kind of double 
> protection.
> 
> Baltasar
> 
> --
> Baltasar Cevc
> 
> _____ former 03 gmbh
> _____ infanteriestraße 19 haus 6 eg
> _____ D-80797 muenchen
> 
> _____ http://www.former03.de
> 
> 
>