Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

CentOS 5.6 & Edit IP Tables

Posted on 2012-03-19
2
Medium Priority
?
390 Views
Last Modified: 2012-06-27
My CentOS 5.6 server currently has two IP addresses assigned to it.  The public IP address is assigned to eth0 and the private IP address is assigned to eth1.

I need to open the SSH port (port 22) on the private ip address only.  Right now it is opened on both the public and private.  

My current etc/sysconfig/iptables is below:



# Generated by iptables-save v1.3.5 on Wed Mar 14 14:20:11 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [334402:108639620]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Mar 14 14:20:11 2012
"/etc/sysconfig/iptables" 23L, 1076C



My ifconfig looks like




eth0   Link encap:Ethernet  HWaddr 40:40:FF:25:62:5B
          inet addr:36.75.132.9  Bcast:36.75.132.9  Mask:255.255.255.0
          inet6 addr: fe50::2124:ffff:fe25:625b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:644677 errors:0 dropped:0 overruns:0 frame:0
          TX packets:523666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:443128196 (422.5 MiB)  TX bytes:114953349 (109.6 MiB)

eth1   Link encap:Ethernet  HWaddr 40:40:67:4F:64:7D
          inet addr:192.168.1.132  Bcast:192.168.1.132  Mask:255.255.224.0
          inet6 addr: fe60::4240:67ff:fe4f:647d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:180 (180.0 b)  TX bytes:6654 (6.4 KiB)

lo       Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6483 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6483 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:31100473 (29.6 MiB)  TX bytes:31100473 (29.6 MiB)


0
Comment
Question by:deklinm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Assisted Solution

by:torakeshb
torakeshb earned 800 total points
ID: 37740818
To block ssh from public interface an allow from private. :  iptables -A INPUT -i eth0  -p tcp --destination-port 22 -j DROP
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 1200 total points
ID: 37740836
There are several ways to do this, here are 2 of the simpler ways.

Change the "ListenAddress" option in /etc/ssh/sshd_config to listen only on 192.168.1.13
ListenAddress 192.168.1.13

Open in new window



Change your existing iptables rule for SSH to only listen on eth1
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -i eth1 --dport 22 -j ACCEPT

Open in new window


Personally I would make the change in sshd_config.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question