Hi to all! I have the following problem. I have a gateway machine which acts as firewall (iptables) and router to the internal network. What i need is to access from outside with SSH to a internal machine, but i want some protection from the ssh dictionary attacks. I want to use the standard port 22 for ssh and perhaps use the 'recent' module for iptables in order to block this kind of attacks. I already have the block rules for iptables which i got from suse lists, as shown below: $IPTABLES -N SSH $IPTABLES -N SSH-evil $IPTABLES -A SSH-evil -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix "evil SSH user: " $IPTABLES -A SSH-evil -j REJECT $IPTABLES -A SSH -p TCP ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A SSH -p TCP --syn -m recent --name badSSH --rcheck --seconds 600 -j REJECT $IPTABLES -A SSH -p TCP --syn -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j SSH-evil $IPTABLES -A SSH -p TCP --syn -m recent --name sshconn --set $IPTABLES -A SSH -p TCP --syn -j ACCEPT What i need now is to add a forward rule to an internal machine, if everything is ok. How can i do this ? Thanks to all in advance. P.S: Thanks to Rene Gallati for his iptables script. -- \|/ "Do or do not. There is no try" - Yoda \|/ |==============================================| | 2000Comp - Consultoria e Informática, Lda | | Tel: +351 22 941 99 32 | \|/ | Fax: +351 22 941 99 34 | \|/ O | www: http://www.2000comp.pt | O -|--| |--|- \| | Joao Reis | |/ / \ |==============================================| / \ ==========================================================
What i need now is to add a forward rule to an internal machine, if everything is ok.
How can i do this ? === I cannot comment on whether your iptables code "is OK" because I'm not familiar with the the "recent" module. But, I'm pretty sure that
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 João Reis wrote: === this is how you forward port 22 from your public-facing interface to port 22 on an internal, private machine: $IPTABLES -t nat -A PREROUTING -i ${public_iface} -p tcp --dport 22 \ -j DNAT --to-destination ${interal_ip}:22 (Adapted from MonMotha's firewall script, <http://monmotha.mplug.org/firewall/index.php>.) - -- Bernie Hoefer PGP e-mail is welcome! Get my 1024 bit signature key from: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x446A6F93>. "The more I know, the more I realize how much I do not understand." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCpR0PckGmqURqb5MRAkPIAJ9MgdjQ27re6IX3KPTbXivarsjeOQCfcBBA LFQ9dtEbjrz/s9TCRrUuOB0= =t+7x -----END PGP SIGNATURE-----
participants (2)
-
Bernie Hoefer
-
João Reis