From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: blocking access to port 22 when INPUT policy is ACCEPT
Date: Tue, 31 Jul 2007 18:40:00 -0500 [thread overview]
Message-ID: <46AFC850.5060307@riverviewtech.net> (raw)
In-Reply-To: <20070731221833.GA589@outback.rfc2324.org>
On 7/31/2007 5:18 PM, Maximilian Wilhelm wrote:
> You can't.
Yes you can. Well if you understand the concepts of latter logic used
when electro-mechanical relays were used to control elevators you can.
> But what's wrong with the two rules?
Nothing. The old saying "If it isn't broke, don't fix it..." with it's
third stanza "...optimize it!" comes to mind.
> What you could do if you like is to pass every connection to port 22
> to a subchain like this:
>
> iptables -N filter_ssh_access
> iptables -A INPUT -p tcp --dport 22 -j filter_ssh_access
Yes...
> iptables -A filter_ssh_access -s ! a.b.c.d/29 -j REJECT --reject-with
> icmp-admin-prohibited
> iptables -A filter_ssh_access -s ! e.f.g.h -j REJECT --reject-with
> icmp-admin-prohibited
Oh, so close.
> You might have noticed that I've changed the "DROP" to "REJECT" with
> fitting type which will make the live of you and other people easier
> when debugging anything related to ssh access to this box.
The problem with this is that if you have an IP address of e.f.g.h, the
first rule will reject the connection. Negative logic does not work
quite as you would expect it to. You have to work with inverted
positive logic below (invert the result of the entire set of logic).
There is also the fact that fewer and fewer things know how to handle
error messages like this, or if they do they do not display them to the
end user. (Thanks M$!) You may have better luck with a basic REJECT
target than one that specifies the ICMP error code unless you know that
you are working with a client application that can correctly interpret.
Try this on for size.
iptables -N filter_ssh_access
iptables -A INPUT -p tcp --dport 22 -j filter_ssh_access
iptables -A filter_ssh_access -s a.b.c.d/29 -j ACCEPT
iptables -A filter_ssh_access -s e.f.g.h -j ACCEPT
iptables -A filter_ssh_access -j REJECT --reject-with icmp-admin-prohibited
In this case, you are jumping to a sub-chain just like Max suggested.
However the difference is that you are accepting on known good and then
rejecting after the list of known good has been exhausted. This will
scale compared to rules conflicting with each other, which is what the
OP and Max had happening.
Grant. . . .
next prev parent reply other threads:[~2007-07-31 23:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <b400c69a0707311002j46a9505du414c2058edbe79e2@mail.gmail.com>
2007-07-31 22:04 ` blocking access to port 22 when INPUT policy is ACCEPT Maxim Veksler
2007-07-31 22:18 ` Maximilian Wilhelm
2007-07-31 23:40 ` Grant Taylor [this message]
2007-08-01 13:28 ` Maximilian Wilhelm
2007-07-31 23:51 ` Grant Taylor
[not found] <200708010731.l717Vte0020939@mail3.jubileegroup.co.uk>
2007-08-01 8:30 ` G.W. Haywood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46AFC850.5060307@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox