CentOS 5.6 & Edit IP Tables

My CentOS 5.6 server currently has two IP addresses assigned to it.  The public IP address is assigned to eth0 and the private IP address is assigned to eth1.

I need to open the SSH port (port 22) on the private ip address only.  Right now it is opened on both the public and private.  

My current etc/sysconfig/iptables is below:



# Generated by iptables-save v1.3.5 on Wed Mar 14 14:20:11 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [334402:108639620]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Mar 14 14:20:11 2012
"/etc/sysconfig/iptables" 23L, 1076C



My ifconfig looks like




eth0   Link encap:Ethernet  HWaddr 40:40:FF:25:62:5B
          inet addr:36.75.132.9  Bcast:36.75.132.9  Mask:255.255.255.0
          inet6 addr: fe50::2124:ffff:fe25:625b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:644677 errors:0 dropped:0 overruns:0 frame:0
          TX packets:523666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:443128196 (422.5 MiB)  TX bytes:114953349 (109.6 MiB)

eth1   Link encap:Ethernet  HWaddr 40:40:67:4F:64:7D
          inet addr:192.168.1.132  Bcast:192.168.1.132  Mask:255.255.224.0
          inet6 addr: fe60::4240:67ff:fe4f:647d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:180 (180.0 b)  TX bytes:6654 (6.4 KiB)

lo       Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6483 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6483 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:31100473 (29.6 MiB)  TX bytes:31100473 (29.6 MiB)


deklinmAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
PapertripConnect With a Mentor Commented:
There are several ways to do this, here are 2 of the simpler ways.

Change the "ListenAddress" option in /etc/ssh/sshd_config to listen only on 192.168.1.13
ListenAddress 192.168.1.13

Open in new window



Change your existing iptables rule for SSH to only listen on eth1
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -i eth1 --dport 22 -j ACCEPT

Open in new window


Personally I would make the change in sshd_config.
0
 
torakeshbConnect With a Mentor Commented:
To block ssh from public interface an allow from private. :  iptables -A INPUT -i eth0  -p tcp --destination-port 22 -j DROP
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.