no ssh on eth0

no ssh on eth0

[varun]

Hello,

I a internet server with :

eth0 as WAN and eth1 as LAN.

I want to prevent ssh on eth0.

Howto do it ?

Thanks

Varun

Re: no ssh on eth0

[Graham Murray]

varun <varun_saa@rediffmail.com> writes:

> Hello,
>
> I a internet server with :
>
> eth0 as WAN and eth1 as LAN.
>
> I want to prevent ssh on eth0.
>
> Howto do it ?

iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP

Re: no ssh on eth0

[Michael Weinert]

[-- Attachment #1: Type: text/plain, Size: 623 bytes --]

Am Sonntag, 30. Juli 2006 08:01 schrieb varun:

Hello

how about editing the:

/etc/ssh/sshd_config

ListenAddress <your-ip-from-eth1>

I personally wouldn't do this with iptables.

Michael

> Hello,
>
> I a internet server with :
>
> eth0 as WAN and eth1 as LAN.
>
> I want to prevent ssh on eth0.
>
> Howto do it ?
>
> Thanks
>
> Varun

-- 

          SysQuadrat    Systeme mit Sicherheit
    Michael Weinert Stuttgart Filderstadt-Plattenhardt
  Tel.: 0711-9970288 Fax: 5360559 Mobil: 0170-4141273
   http://www.linux-firewall.de  weinert@sys2.de
           KeyServer hkp://pgp.mit.edu

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: no ssh on eth0

[Jan Engelhardt]

>> Hello,
>>
>> I a internet server with :
>>
>> eth0 as WAN and eth1 as LAN.
>>
>> I want to prevent ssh on eth0.
>>
>> Howto do it ?
>
>iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP
>

If
	eth0 10.0.0.1
	eth1 192.168.222.3
then
/etc/ssh/sshd_config:

	ListenAddress 192.168.222.3


Jan Engelhardt
-- 

Re: no ssh on eth0

[Pascal Hambourg]

Hello,

Jan Engelhardt a écrit :
>>>
>>>I want to prevent ssh on eth0.
>>>
>>>Howto do it ?
>>
>>iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP

If the goal is to prevent *incoming* SSH connections on eth0.

> If
> 	eth0 10.0.0.1
> 	eth1 192.168.222.3
> then
> /etc/ssh/sshd_config:
> 
> 	ListenAddress 192.168.222.3

This alone is not enough to prevent connections on eth0. You can connect 
to any host address on any interface. E.g. connect to eth1 address on 
eth0 interface and vice versa.

Re: no ssh on eth0

[former03 | Baltasar Cevc]

Hi Pascal, hi everybody,

> Does this mean you wanted to reply to the list instead of me alone ?
>
>>>>> iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP
>>>
>>> If the goal is to prevent *incoming* SSH connections on eth0.
>> Outgoing would be *something like*
>>    iptables -A OUTPUT -i eth0 --dport 22 -j DROP (connections from 
>> the box to outerspace)
>>    iptables -A OUTPUT -i eth0 --dport 22 -j DROP (from LAN to 
>> outerspace if the box routes that)
>
> In the second rule I think you meant FORWARD instead of OUTPUT.
>
>>>>     ListenAddress 192.168.222.3
>>>
>>> This alone is not enough to prevent connections on eth0. You can 
>>> connect to any host address on any interface. E.g. connect to eth1 
>>> address on eth0 interface and vice versa.
>> Well, if it's the common setup of eth0 <some "real" non-private ip) 
>> and a private ip for eth1 it will work more or less as expected, as 
>> packets won't find the route to 192.168.222.3 (to keep the example 
>> IP), because it is just valid in private networks.
>
> It won't work when the client is on the same network as eth0, or can 
> alter the routing to the server. Your assertion relies on a third 
> party's (the ISP) routing and on the assumption that only packets with 
> the public IP address can hit eth0. I wouldn't like my security to 
> rely on a third party. Would you ?
>
>> From my point of view the sshd_config solution is nicer in any case, 
>> you should add some rules like the followin on a WAN-LAN router to 
>> prevent (some) spoofed packets from entering - they will prevent the 
>> connection here (if SSH is bound internally only):
>> iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
>> iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP (I haven't 
>> verified this /12 mask, you should check the RFCs to be sure)
>
> The /12 prefix length is correct.
>
>> iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
>> iptables -A INPUT -i eth1 -s <external IP> -j DROP
>> [These routes mean that packets with local adresses should not come 
>> from outside and vice versa].
>
> But these rules don't prevent connecting from a public source address 
> to the private IP address on the public interface.
You're right, of course - I thought of a firewall situation with NAT - 
in that case I'd add
iptables -A INPUT -i eth0 -d 192.168.0.0/16 -j DROP.

That said, I really thought too much about a natted link - so I correct 
myself and say:
I would not only do a packet filter block but also (which was the part 
I forgot to say) change the listening address, to have kind of double 
protection.

Baltasar

--
Baltasar Cevc

_____ former 03 gmbh
_____ infanteriestrafle 19 haus 6 eg
_____ D-80797 muenchen

_____ http://www.former03.de

Re: no ssh on eth0

[Pascal Hambourg]

former03 | Baltasar Cevc a écrit :
> 
> You're right, of course - I thought of a firewall situation with NAT - 

Why ? What is the difference with or without NAT ?

Re: no ssh on eth0

[former03 | Baltasar Cevc]

On 30.07.2006, at 22:04, Pascal Hambourg wrote:

> former03 | Baltasar Cevc a Ècrit :
>> You're right, of course - I thought of a firewall situation with NAT -
>
> Why ? What is the difference with or without NAT ?

You can filter out all incoming packets to local IP addresses on the 
wan interface before NAT is done; if you just use MASQUERADE for 
outgoing packets, "iptables -A INPUT -i eth0.-d 192.168.0.0/16 -j 
DROP".
Granted, if filtering breaks that does not help, but in case of an 
attacker who is not on the same physical network as the WAN interface 
it will probably break with the other listen address as he will hardly 
manage to get the packets routed to the host.

Baltasar

--
Baltasar Cevc

_____ former 03 gmbh
_____ infanteriestrafle 19 haus 6 eg
_____ D-80797 muenchen

_____ http://www.former03.de

Re: no ssh on eth0

[Pascal Hambourg]

former03 | Baltasar Cevc a écrit :
> 
>> Why ? What is the difference with or without NAT ?
> 
> You can filter out all incoming packets to local IP addresses on the wan 
> interface before NAT is done;

No you can't, unless you intend to do filtering in PREROUTING chain of 
the 'mangle' table.

> if you just use MASQUERADE for outgoing 
> packets, "iptables -A INPUT -i eth0.-d 192.168.0.0/16 -j DROP".

I just don't see how it is different whether you have NAT/MASQUERADE or 
not. To me filtering and NAT in iptables are fundamentally independent.

Re: no ssh on eth0

[varun]

And why not Michael ?

Can you explain a little.

Thanks

Varun

On Sun, 2006-07-30 at 12:41 +0200, Michael Weinert wrote:
> Am Sonntag, 30. Juli 2006 08:01 schrieb varun:
> 
> Hello
> 
> how about editing the:
> 
> /etc/ssh/sshd_config
> 
> ListenAddress <your-ip-from-eth1>
> 
> I personally wouldn't do this with iptables.
> 
> Michael
> 
> > Hello,
> >
> > I a internet server with :
> >
> > eth0 as WAN and eth1 as LAN.
> >
> > I want to prevent ssh on eth0.
> >
> > Howto do it ?
> >
> > Thanks
> >
> > Varun
> 

Re: no ssh on eth0

[former03 | Baltasar Cevc]

On 31.07.2006, at 15:44, Pascal Hambourg wrote:

> former03 | Baltasar Cevc a Ècrit :
>>> Why ? What is the difference with or without NAT ?
>> You can filter out all incoming packets to local IP addresses on the 
>> wan interface before NAT is done;
>
> No you can't, unless you intend to do filtering in PREROUTING chain of 
> the 'mangle' table.
I'd probably prefer to do it in the nat table (well, I do know that 
filtering should be done in filter only, but it works well that way, 
too). Another option would be to separate it using marks.

And for local host access, which was what we were talking about:
    -t filter -A INPUT -i eth0 -d <local ip> -j REJECT --reject-with 
icmp-network-unreachable

>
>> if you just use MASQUERADE for outgoing packets, "iptables -A INPUT 
>> -i eth0.-d 192.168.0.0/16 -j DROP".
>
> I just don't see how it is different whether you have NAT/MASQUERADE 
> or not. To me filtering and NAT in iptables are fundamentally 
> independent.
Sure, they are. However, if I nat, I can make the following assumption:
there are no (valid) packet addressed to internal addresses on eth0.
Which is something I can't assume when I don't have NOT. WIthout that 
assumption, I cannot prohibit as much as I can when I assume that.

Baltasar


--

Baltasar Cevc

_____ former 03 gmbh
_____ infanteriestrafle 19 haus 6 eg
_____ D-80797 muenchen

_____ http://www.former03.de

Re: no ssh on eth0

[former03 | Baltasar Cevc]

On 31.07.2006, at 23:39, Martijn Lievaart wrote:

> former03 | Baltasar Cevc wrote:
>
>>
>> On 31.07.2006, at 15:44, Pascal Hambourg wrote:
>>
>>> I just don't see how it is different whether you have NAT/MASQUERADE 
>>> or not. To me filtering and NAT in iptables are fundamentally 
>>> independent.
>>
>> Sure, they are. However, if I nat, I can make the following 
>> assumption:
>> there are no (valid) packet addressed to internal addresses on eth0.
>> Which is something I can't assume when I don't have NOT. WIthout that 
>> assumption, I cannot prohibit as much as I can when I assume that.
>>
>
> A very dangerous assumption. We're talking about NAT for outgoing 
> connections. Incomming connections are still possible if someone 
> controls the routing up to your box. I would NEVER base my secority on 
> that assumption where security matters (so for a home setup it's fine, 
> but otherwise not).
Aparently we misundestood each other. I did not talk about the 
assumption that such packets never come there, on the contrary, I make 
the assumption that these packets are bad, so I should filter them out.

However, one thing I 'relied on': in case the packet filter fails (we 
should always consider failure, although at least the software part - 
netfilter - is really stable, no need to argue about the latter) for 
whatever reason, it is better at least not to listen to the external IP 
so that in the case the provider does filter (which it should), it 
would at least be impossible to connect from anywhere except the local 
part of the wan and the lan. Which will significantly reduce the 
dangers.

Baltasar

--
Baltasar Cevc

_____ former 03 gmbh
_____ infanteriestrafle 19 haus 6 eg
_____ D-80797 muenchen

_____ http://www.former03.de

Re: no ssh on eth0

[varun]

Thanks all, for the detailed
discussion.

Varun


On Sun, 2006-07-30 at 19:17 +0200, former03 | Baltasar Cevc wrote:
> Hi Pascal, hi everybody,
> 
> > Does this mean you wanted to reply to the list instead of me alone ?
> >
> >>>>> iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP
> >>>
> >>> If the goal is to prevent *incoming* SSH connections on eth0.
> >> Outgoing would be *something like*
> >>    iptables -A OUTPUT -i eth0 --dport 22 -j DROP (connections from 
> >> the box to outerspace)
> >>    iptables -A OUTPUT -i eth0 --dport 22 -j DROP (from LAN to 
> >> outerspace if the box routes that)
> >
> > In the second rule I think you meant FORWARD instead of OUTPUT.
> >
> >>>>     ListenAddress 192.168.222.3
> >>>
> >>> This alone is not enough to prevent connections on eth0. You can 
> >>> connect to any host address on any interface. E.g. connect to eth1 
> >>> address on eth0 interface and vice versa.
> >> Well, if it's the common setup of eth0 <some "real" non-private ip) 
> >> and a private ip for eth1 it will work more or less as expected, as 
> >> packets won't find the route to 192.168.222.3 (to keep the example 
> >> IP), because it is just valid in private networks.
> >
> > It won't work when the client is on the same network as eth0, or can 
> > alter the routing to the server. Your assertion relies on a third 
> > party's (the ISP) routing and on the assumption that only packets with 
> > the public IP address can hit eth0. I wouldn't like my security to 
> > rely on a third party. Would you ?
> >
> >> From my point of view the sshd_config solution is nicer in any case, 
> >> you should add some rules like the followin on a WAN-LAN router to 
> >> prevent (some) spoofed packets from entering - they will prevent the 
> >> connection here (if SSH is bound internally only):
> >> iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
> >> iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP (I haven't 
> >> verified this /12 mask, you should check the RFCs to be sure)
> >
> > The /12 prefix length is correct.
> >
> >> iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
> >> iptables -A INPUT -i eth1 -s <external IP> -j DROP
> >> [These routes mean that packets with local adresses should not come 
> >> from outside and vice versa].
> >
> > But these rules don't prevent connecting from a public source address 
> > to the private IP address on the public interface.
> You're right, of course - I thought of a firewall situation with NAT - 
> in that case I'd add
> iptables -A INPUT -i eth0 -d 192.168.0.0/16 -j DROP.
> 
> That said, I really thought too much about a natted link - so I correct 
> myself and say:
> I would not only do a packet filter block but also (which was the part 
> I forgot to say) change the listening address, to have kind of double 
> protection.
> 
> Baltasar
> 
> --
> Baltasar Cevc
> 
> _____ former 03 gmbh
> _____ infanteriestraße 19 haus 6 eg
> _____ D-80797 muenchen
> 
> _____ http://www.former03.de
> 
> 
>