Oct 252009
 

Sometimes we want to restricting ssh connection just from our own network to prevent abusives login.

this is how to do it with iptables:

# iptables -F
# iptables -N SSHD

# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s 1.2.3.4/24 -j RETURN
# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s 5.6.7.8/24 -j RETURN
# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s a.b.c.d/24 -j RETURN
# iptables -A SSHD -j REJECT --reject-with icmp-host-prohibited

# iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD

All connection, except from our network we’ve defined in iptables will be reject with icmp-host-prohibited

# iptables -nvL
Chain INPUT (policy ACCEPT 934K packets, 529M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 3252  207K SSHD       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain SSHD (1 references)
 pkts bytes target     prot opt in     out     source               destination
  717 35832 RETURN     all  --  *      *       1.2.3.4/24      0.0.0.0/0           state NEW,RELATED,ESTABLISHED
 2535  171K RETURN     all  --  *      *       5.6.7.8/24      0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 RETURN     all  --  *      *       a.b.c.d/24      0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      *       0.0.0.0/0       0.0.0.0/0           reject-with icmp-host-prohibited

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.