[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

CentOS 5.6 & Edit IP Tables

Posted on 2012-03-19
2
Medium Priority
?
391 Views
Last Modified: 2012-06-27
My CentOS 5.6 server currently has two IP addresses assigned to it.  The public IP address is assigned to eth0 and the private IP address is assigned to eth1.

I need to open the SSH port (port 22) on the private ip address only.  Right now it is opened on both the public and private.  

My current etc/sysconfig/iptables is below:



# Generated by iptables-save v1.3.5 on Wed Mar 14 14:20:11 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [334402:108639620]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Mar 14 14:20:11 2012
"/etc/sysconfig/iptables" 23L, 1076C



My ifconfig looks like




eth0   Link encap:Ethernet  HWaddr 40:40:FF:25:62:5B
          inet addr:36.75.132.9  Bcast:36.75.132.9  Mask:255.255.255.0
          inet6 addr: fe50::2124:ffff:fe25:625b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:644677 errors:0 dropped:0 overruns:0 frame:0
          TX packets:523666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:443128196 (422.5 MiB)  TX bytes:114953349 (109.6 MiB)

eth1   Link encap:Ethernet  HWaddr 40:40:67:4F:64:7D
          inet addr:192.168.1.132  Bcast:192.168.1.132  Mask:255.255.224.0
          inet6 addr: fe60::4240:67ff:fe4f:647d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:180 (180.0 b)  TX bytes:6654 (6.4 KiB)

lo       Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6483 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6483 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:31100473 (29.6 MiB)  TX bytes:31100473 (29.6 MiB)


0
Comment
Question by:deklinm
2 Comments
 
LVL 7

Assisted Solution

by:torakeshb
torakeshb earned 800 total points
ID: 37740818
To block ssh from public interface an allow from private. :  iptables -A INPUT -i eth0  -p tcp --destination-port 22 -j DROP
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 1200 total points
ID: 37740836
There are several ways to do this, here are 2 of the simpler ways.

Change the "ListenAddress" option in /etc/ssh/sshd_config to listen only on 192.168.1.13
ListenAddress 192.168.1.13

Open in new window



Change your existing iptables rule for SSH to only listen on eth1
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -i eth1 --dport 22 -j ACCEPT

Open in new window


Personally I would make the change in sshd_config.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month20 days, 4 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question