Richard Fish <bigfish <at> asmallpond.org> writes: > > I need a rule on the 3 (nic) interface firewall so that only > > ssh from the LAN is allowed to the firewall or sytems (web > > server, mail dns) in the DMZ. Only one static ip is routable > > to this site. SSH from the outside should be completely blocked.
> # allow ssh connections from LAN to us > iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT > # allow routing of ssh connections from LAN to DMZ hosts > iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 22 -j ACCEPT > # deny all other ssh connections > iptables -A INPUT -p tcp --dport 22 -j DROP > iptables -A FORWARD -p tcp --dport 22 -j DROP Richard, These rules worked like a charm. I had something similar, but had the syntax messed up. thx. Now I have ONE big problem. Spammers. (I think). Running a sniffer between my firewall and the cable box's ethernet (single static IP), I see: hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 hackIP myIP TCP smtp > 55634 (RST,ACK) Seq=0 ACK=1 WIN=0 LEN=0 MSS=1460 myIP hackIP TCP 55634 > smtp (SYN) Seq=0 ACK=1 WIN=0 LEN=0 Last night I saw this for a while and then a storm of smtp traffic. This site does not even run a mail server and all systems where shutdown except for the firewall and the sniffer. This explains why this site is listed as a spammer site... Somebody has been reflecting email off of this site for some time, I suspect. Got any idea for a (iptables) syntax to stop this? Do I need to reinstall the sysetm (gentoo-hardened firewall)??????? thoughts and ideas are welcome. -- gentoo-user@gentoo.org mailing list
