Reco <recovery...@gmail.com> writes:
> Hi.
>
> On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote:
>> Britton Kerin <britton.ke...@gmail.com> writes:
>>
>> > I have a system that I would like to make accessible only by ssh.
>> >
>> > No apache telnet ftp anything else.
>> >
>> > What is the easiest way to achieve this? It came from a vendor with
>> > a slew of package of all sorts, so I don't even know everything that
>> > I want to remove.
>> >
>> Simplest solution is to use iptables to reject all traffic except for
>> port 22:
>>
>> iptables -I INPUT -p tcp --dport 22 -j ACCEPT
>> iptables -P INPUT DROP
>>
>> Of course, this depends on none of the shell users having root access.
>
> The simplest *working* solution is to use iptables this way:
>
> iptables -F INPUT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT
> iptables -P INPUT DROP
> iptables -F OUTPUT
> iptables -P OUTPUT ACCEPT
>
>
> Your rules will block anything on the interface lo and outbound traffic,
> which is just asking for all kinds of trouble. And blocking icmp is just
> rude ;)
Heh. You're right about the lo blockage, I keep forgetting that
everytime I write iptables rules.
Outbound traffic is not necessary, surely? The answers of the box to
incoming ssh packets still count as part of the INPUT stream. The
RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that
like to open new outbound connections in response to inbound requests.
Then again, chain OUTPUT defaults to ACCEPT anyway.
Mart
--
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/86a92ltcl8....@gaheris.avalon.lan
