[asterisk-biz] 87.230.80.186 - Trying to register
Steve Edwards
asterisk.org at sedwards.com
Tue Jun 29 15:26:20 CDT 2010
On Tue, 29 Jun 2010, bruce bruce wrote:
> Thanks for that Steve. This works. However, what if I do this (would I
> block myself from SSH 22):
> --------------------------------------------------------------
> sudo iptables\
> --append INPUT\
> --match tcp\
> --protocol tcp\
> --dport 22\
> --source 0.0.0.0\
> --jump ACCEPT
> --------------------------------------------------------------
> sudo iptables\
> --append INPUT\
> --source 87.230.90.0/24\
> --jump DROP
> --------------------------------------------------------------
>
> Will that block all other traffic to the server and only allow SSH 22? I
> don't want to block myself out and it's very important because this is a
> remote server. If you can confirm above then I can add the legit IPs one
> by one after that I guess.
I'm not a fan of executing iptables from the command line, nor am I an
iptables expert.
A very simple /etc/sysconfig/iptables would look like:
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# established connections
--append INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
# accept SSH from bruce bruce
--append INPUT --match tcp --protocol tcp --dport 22 --source a.b.c.d --jump ACCEPT
# log everything else
--append INPUT --protocol all --jump LOG
# drop everything else
--append INPUT --protocol all --jump DROP
COMMIT
This should get you started.
Any time you are fiddling with iptables, it would be prudent to add
something like this to root's crontab:
# Min hour DOM month DOW command
*/05 * * * * /etc/init.d/iptables stop
In case you "blow it," you can get back in within 5 minutes.
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
More information about the asterisk-biz
mailing list