From: Mark Seamans <marks@crvinc.com>
To: netfilter@newkirk.us, netfilter@lists.netfilter.org
Subject: Re: Core Linux Router - NO NAT
Date: Fri, 21 Mar 2003 05:16:43 -0600 [thread overview]
Message-ID: <200303210516.43482.marks@crvinc.com> (raw)
In-Reply-To: <200303210140.48570.netfilter@newkirk.us>
So, this will allow all routing between all interfaces to all networks but
only allowing host 1.2.3.4 have access to ssh?
See! I was going to make it too hard. I do appreciate the tip. I will be
doing this on a production box for an ISP 1600 miles away with little room
for error.
-----Original Message-----
On Thursday 20 March 2003 06:23 pm, Mark Seamans wrote:
> I have a Linux router that consists of 4 T1ports and 1 ethernet.
> This "Router" will act as an ISP core router doing Routing Only!
> I wish to protect the box itself, while it preforms it's duties as a
> Router allowing only ssh from the ip's that I wish for management.
> This way I can also setup rules to protect it form DOS attacks etc...
> Now I have been thinking of this, but I can go two ways:
> 1. Making it harder than it really is -OR-
> 2. Allowing it to be so easy it is not secure.
>
> So any suggestions would be great.
>
> Thanks!
>
> Mark
> marks@crvinc.com
For the basic task of restricting access to the routing box itself, and
allowing only SSH connections from designated IPs:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -N SSHLOG
iptables -A SSHLOG -j LOG --log-level debug --log-prefix "Router SSH
Access:"
iptables -A SSHLOG -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s a.b.c.d -j SSHLOG
{repeat last rule as needed for different authorized IPs}
Another approach might be to have only one or two IPs from which you
allow SSH connections. Then if you need to connect from a remote
client, SSH to the authorized client, (an admin box at the office?) then
SSH from that client to the router. (I use this approach to SSH to my
home desktop - which cannot be directly reached from the internet - by
first initiating an SSH session to my gateway from one of the IPs from
which IT will accept an SSH connection)
If your usage will permit, you can match more closely in the INPUT rules
by also restricting to input on a particular interface. This is made
more likely if you use the double-SSH approach above, the main reason I
mentioned it.
You can change /etc/syslog.conf to add a new target like:
kern.=debug /var/log/firewall
or even set it up for remote logging with
kern.=debug @remotelogginghostname
(this would make it much harder for someone who has compromised the box
to cover their tracks, and would require an additional OUTPUT rule
ACCEPTing UDP dport 514 to the designated logging host)
j
next prev parent reply other threads:[~2003-03-21 11:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-20 23:23 Core Linux Router - NO NAT Mark Seamans
2003-03-21 6:41 ` Joel Newkirk
2003-03-21 11:16 ` Mark Seamans [this message]
2003-03-21 15:23 ` Kelly Setzer
2003-03-21 15:19 ` James A. Pattie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200303210516.43482.marks@crvinc.com \
--to=marks@crvinc.com \
--cc=netfilter@lists.netfilter.org \
--cc=netfilter@newkirk.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox