• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Life always offers you a second chance ... Its called tomorrow !!!

    Thursday, March 06, 2014

    Iptables rules to allow/block ssh incoming/outgoing connection in Linux

    Let me show you some iptable rules which can be used to allow or block ssh connection from a specific host or network


    Block 192.168.1.10 from connecting your localhost 192.168.1.6
    [root@test1 ~]# iptables -I INPUT -s 192.168.1.10 -p tcp --dport ssh -j REJECT
    Let us try to connect 192.168.1.6
    [root@test ~]# ssh 192.168.1.6 -v
    OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
    debug1: connect to address 192.168.1.6 port 22:
    Connection refused
    ssh: connect to host 192.168.1.6 port 22: Connection refused

    So it straight away throws "Connection refused"

    Let us check the packet received attempts on 192.168.1.6 made by 192.168.1.10
    [root@test1 ~]# iptables -L INPUT -v
    Chain INPUT (policy ACCEPT 19 packets, 1263 bytes)
     pkts bytes target     prot opt in     out     source               destination
        1   120 REJECT     tcp  --  any    any     192.168.1.10         anywhere            tcp dpt:ssh reject-with icmp-port-unreachable

    So as per the log 1 attempt was made to connect to our machine from 192.168.1.10

    Let us try some other ways to block ssh connection from a specific host
    [root@test1 ~]# iptables -I INPUT -s 192.168.1.10 -p tcp --dport ssh -j DROP
    Let us try to connect our 192.168.1.6 from 192.168.1.10
    [root@test ~]# ssh 192.168.1.6 -v
    OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
    debug1: connect to address 192.168.1.6 port 22:
    Connection timed out
    ssh: connect to host 192.168.1.6 port 22: Connection timed out

    As you see a new message as compare to last rule.

    Here we are accepting SYN signal from the remote host but we are not responding to it so there was no successful connection made between both the hosts.

    Lets see no. of packets sent in an attempt to connect 192.168.1.6
    [root@test1 ~]# iptables -L INPUT -v
    Chain INPUT (policy ACCEPT 22 packets, 1552 bytes)
    pkts bytes target     prot opt in     out     source               destination
       3   180 DROP       tcp  --  any    any     192.168.1.10         anywhere            tcp dpt:ssh

    3 packets or attempts were made by 192.168.1.10 before throwing "Connection timed out" error

    Block ssh connection for ESTABLISHED state from 192.168.1.10
    [root@test1 ~]# iptables -I INPUT -s 192.168.1.10 -p tcp --dport ssh -m state --state ESTABLISHED -j REJECT
    Let us make an attempt for the same from 192.168.1.10
    [root@test ~]# ssh 192.168.1.6 -v
    OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/identity type -1
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_dsa type -1

    The attempts gets stucked here after establishing a connection

    Allow ssh connection from 192.168.1.10
    # iptables -I INPUT -s 192.168.1.10 -p tcp --dport ssh -j ACCEPT
    Let us make an attempt for the same from 192.168.1.10
    [root@test ~]# ssh 192.168.1.6
    root@192.168.1.6's password:
    Last login: Thu Mar  6 11:19:32 2014 from 192.168.1.2
    [root@test1 ~]#

    We have successfully connected

    Much more strict rule to block or allow the same (replace ACCEPT with REJECT to block)
    [root@test1 ~]# iptables -I INPUT -s 192.168.1.10 -p tcp --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    State
    Description
    NEW
    meaning that the packet has started a new connection, or otherwise  associated with a connection which has not seen packets in both directions
    ESTABLISHED
    meaning that the packet is associated with a connection which has seen packets in both directions
    RELATED
    meaning that the packet is starting a new connection, but is  associated  with an existing connection, such as an FTP data transfer, or an ICMP error

    Block ssh connection from all the host EXCEPT 192.168.1.2
    # iptables -I INPUT ! -s  192.168.1.2 -p tcp --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j REJECT
    Let us also log this message to verify our rule
    # iptables -I INPUT ! -s  192.168.1.2 -p tcp --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix "BLOCK SSH "
    To know more about how to log iptable messages follow the below link
    How to log iptables messages in different log file

    Make an attempt to do ssh from any other machine in 192.168.1.0/24 network
    [root@test ~]# ssh 192.168.1.6
    ssh: connect to host 192.168.1.6 port 22: Connection refused

    Verify in the logs
    # cat /var/log/iptables | grep "BLOCK SSH"
    Mar  6 14:03:55 test1 kernel:
    BLOCK SSH IN=eth3 OUT= MAC=00:0c:29:51:aa:e1:00:0c:29:a3:f5:fa:08:00 SRC=192.168.1.10 DST=192.168.1.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43914 DF PROTO=TCP SPT=35026 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

    Block outgoing ssh connection for 192.168.1.0/24 subnet
    # iptables -I OUTPUT -d 192.168.1.0/24  -p tcp --dport 22 -j REJECT
    Verify
    # ssh -v 192.168.1.6
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
    debug1: connect to address 192.168.1.6 port 22: Connection refused
    ssh: connect to host 192.168.1.6 port 22: Connection refused
    So as you see localhost is not allowed to make ssh connection to 192.168.1.0/24 subnet

    Related Articles
    Iptables rules to block/allow icmp ping request in Linux
    iptables rules for Samba 4 in Red Hat Linux
    Basic iptables tutorial in Linux I
    Basic iptables tutorial in Linux II
    Iptables for Samba server

    Follow the below links for more tutorials

    Step by Step Linux Boot Process Explained In Detail
    Configure Red Hat Cluster using VMware, Quorum Disk, GFS2, Openfiler
    Tutorial for Monitoring Tools SAR and KSAR with examples in Linux
    How to configure Samba 4 Secondary Domain Controller
    How to register Red Hat Linux with RHN (Red Hat Network )
    Red hat Enterprise Linux 5.5 Installation Guide (Screenshots)
    15 tips to enhance security of your Linux machine
    Why is Linux more secure than windows and any other OS
    What is the difference between "su" and "su -" in Linux?
    What is kernel-PAE in Linux?
    What is swappiness and how do we change its value?
    What are the s and k scripts in the etc rcx.d directories
    How to check all the currently running services in Linux
    How to auto start service after reboot in Linux
    What is virtual memory, paging and swap space?

    0 comments:

    Post a Comment