blocking access to port 22 when INPUT policy is ACCEPT
G.W. Haywood
ged at jubileegroup.co.uk
Wed Aug 1 10:30:04 CEST 2007
Hi there,
On Wed, 1 Aug 2007 Grant Taylor wrote:
> Wrong logic operator. The question could also be written as "How do I
> block all connections not from the set A or B or C or ...".
>
> One way to achieve this is with the IPSet match extension (which I
> have not worked with, so this may not be syntactically correct).
>
> iptables -A INPUT ! -m set --set sshclients src -j DROP
Looks good to me. Here's the most recent addition to my roughly two
dozen ipsets:
iptables -I INPUT 98 -m set --set BLOCKSET08 src -j DROP
(My BLOCKSET08 set blocks /8 IP ranges. :)
FWIW I have currently block a little over 26,000 IP ranges in 25 sets
and the performance is fine on very modest hardware.
At present I believe there are some issues compiling ipsets and the
latest 2.6 kernels, probably worth looking before you leap.
--
73,
Ged.
More information about the netfilter
mailing list