?
Solved

CentOS 5.6 & Edit IP Tables

Posted on 2012-03-19
2
Medium Priority
?
389 Views
Last Modified: 2012-06-27
My CentOS 5.6 server currently has two IP addresses assigned to it.  The public IP address is assigned to eth0 and the private IP address is assigned to eth1.

I need to open the SSH port (port 22) on the private ip address only.  Right now it is opened on both the public and private.  

My current etc/sysconfig/iptables is below:



# Generated by iptables-save v1.3.5 on Wed Mar 14 14:20:11 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [334402:108639620]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Mar 14 14:20:11 2012
"/etc/sysconfig/iptables" 23L, 1076C



My ifconfig looks like




eth0   Link encap:Ethernet  HWaddr 40:40:FF:25:62:5B
          inet addr:36.75.132.9  Bcast:36.75.132.9  Mask:255.255.255.0
          inet6 addr: fe50::2124:ffff:fe25:625b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:644677 errors:0 dropped:0 overruns:0 frame:0
          TX packets:523666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:443128196 (422.5 MiB)  TX bytes:114953349 (109.6 MiB)

eth1   Link encap:Ethernet  HWaddr 40:40:67:4F:64:7D
          inet addr:192.168.1.132  Bcast:192.168.1.132  Mask:255.255.224.0
          inet6 addr: fe60::4240:67ff:fe4f:647d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:180 (180.0 b)  TX bytes:6654 (6.4 KiB)

lo       Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6483 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6483 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:31100473 (29.6 MiB)  TX bytes:31100473 (29.6 MiB)


0
Comment
Question by:deklinm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Assisted Solution

by:torakeshb
torakeshb earned 800 total points
ID: 37740818
To block ssh from public interface an allow from private. :  iptables -A INPUT -i eth0  -p tcp --destination-port 22 -j DROP
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 1200 total points
ID: 37740836
There are several ways to do this, here are 2 of the simpler ways.

Change the "ListenAddress" option in /etc/ssh/sshd_config to listen only on 192.168.1.13
ListenAddress 192.168.1.13

Open in new window



Change your existing iptables rule for SSH to only listen on eth1
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -i eth1 --dport 22 -j ACCEPT

Open in new window


Personally I would make the change in sshd_config.
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month11 days, 10 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question