IPTABLES question - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: IPTABLES question

  1. #11
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Why dont you use the MAC instead of hostname? (I realized hostname matching isnt gonna do much for an SSH packet, heh) easier to match on a per-packet basis. Something like:
    iptables -A PREROUTING -m string --string 'y0:uR:MA:CA:dD:RR' -m tcp -p tcp --dport 22 -j ACCEPT

    or something along those line...Then your IP woulndt matter, be nice with a laptop for sure.

    -Maestr0

    PS. Not sure if thats the right way to use --string, if you compile netfilter with that extension you can iptables -m string --help.

    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  2. #12
    Junior Member
    Join Date
    Sep 2002
    Location
    Sultan, WA
    Posts
    9

    Unhappy iptables question rep

    A question for a question, with the advent of SELinux in the 2.6 kernel, does this really much\k things up with iptables and the permissive or targeting policy?

  3. #13
    Junior Member
    Join Date
    Sep 2002
    Location
    Sultan, WA
    Posts
    9

    Unhappy iptables question rep

    disregard my last post


  4. #14
    Junior Member
    Join Date
    Apr 2005
    Posts
    4
    I would open 22 through the firewall. Restrict your sshd to use DSA keys only. No root login of course. And make sure your latest openssh is compiled with --with-tcp-wrappers enabled.

    This way you can simply vi /etc/hosts.allow add:
    example

    sshd: 192.168.4.0/29 yourname.com

    This will give you local net access(optional) and give your domainname access. tcp wrapper will do an dns lookup and since you said your IP changes all the time but you will be using a dynamic dns updater. tcp wrapper will do an dns lookup providing of course that /etc/nsswitch.conf & /etc/resolv.conf has valid dns info...which im sure they do.

    Plus you could add /etc/hosts.deny and put something like this to log failed attempts

    ALL : ALL : spawn (/usr/bin/logger -p daemon.log WARNING! Attempt at %d from %c)&


    ~phatdee

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides