Hi. On Thu, 18 Dec 2014 12:35:31 +0100 Mart van de Wege <mvdw...@gmail.com> wrote:
> Reco <recovery...@gmail.com> writes: > > > Hi. > > > > On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote: > >> Britton Kerin <britton.ke...@gmail.com> writes: > >> > >> > I have a system that I would like to make accessible only by ssh. > >> > > >> > No apache telnet ftp anything else. > >> > > >> > What is the easiest way to achieve this? It came from a vendor with > >> > a slew of package of all sorts, so I don't even know everything that > >> > I want to remove. > >> > > >> Simplest solution is to use iptables to reject all traffic except for > >> port 22: > >> > >> iptables -I INPUT -p tcp --dport 22 -j ACCEPT > >> iptables -P INPUT DROP > >> > >> Of course, this depends on none of the shell users having root access. > > > > The simplest *working* solution is to use iptables this way: > > > > iptables -F INPUT > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A INPUT -p icmp -j ACCEPT > > iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j > > ACCEPT > > iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT > > iptables -P INPUT DROP > > iptables -F OUTPUT > > iptables -P OUTPUT ACCEPT > > > > > > Your rules will block anything on the interface lo and outbound traffic, > > which is just asking for all kinds of trouble. And blocking icmp is just > > rude ;) > > Heh. You're right about the lo blockage, I keep forgetting that > everytime I write iptables rules. Oops. I forgot about this one: iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT > Outbound traffic is not necessary, surely? The answers of the box to > incoming ssh packets still count as part of the INPUT stream. Not unless you use '-m conntrack --ctstate NEW'. And (see below) not unless you'll want to limit all new outbound connections to ssh only. > The > RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that > like to open new outbound connections in response to inbound requests. Not quite true. You forgot to take into account good old DNS, for example. Now, sure, DNS *is* stupid, but sshd relies on it to some extent. Or, say, NTP, which is UDP-based too. Besides, OP may need to establish new outbound connections from his host. This: iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ -j ACCEPT will allow such connections without the need to punch multiple holes in the INPUT chain. > Then again, chain OUTPUT defaults to ACCEPT anyway. True. But, just to be on the safe side, I'd add '-P ACCEPT' to OUTPUT too. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141218194341.55a72661ff572893bbb7b...@gmail.com