0

I'm at a loss to explain why these rules don't have the same effect as whitelisting ip addresses. Can anyone tell me why?

# /etc/hosts.deny                                                        
sshd : 61.174.51.215 : deny
sshd : ALL : deny                                                                                                                         

# /etc/hosts.allow
sshd : 10.1.2.186 : allow
sshd : 42.42.42... : allow

I then go to the command line and run systemctl start iptables.service

What am I doing wrong?

0112
  • 105
  • 5

1 Answers1

1

Looks like you're using tcpwrappers instead of iptables friend.

This is one way to enable it:

/sbin/iptables -A INPUT -s 10.1.2.186 -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -s 42.42.42.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Cronparser
  • 46
  • 2
  • `icmp-port-unreachable` is appropriate for UDP, since this is TCP, you should use `tcp-reset` instead. – kasperd May 20 '14 at 17:52
  • I've never had to do sysadmin stuff until just recently. If it wouldn't be too much trouble could you explain what you mean by tcpwrappers? – 0112 May 20 '14 at 18:08
  • Whouaou that's an edition, Andrew Schulman! You're such a life saver! – philippe May 20 '14 at 19:48
  • I've run the commands as you said (with the correct ip's), and restarted iptables. But I'm still seeing a ton of failed ssh logins on the root account as well as others. – 0112 May 20 '14 at 20:54
  • @alex0112 The restart is going to discard the rules you just created with those commands. Just run those three commands again and if you are satisfied with how they behave, save the rules. It used to be `service iptables save`, you had to type to save the rules, but that may have changed. – kasperd May 20 '14 at 21:49
  • I think it works now. – 0112 May 21 '14 at 01:47
  • Another quick question, (unless you think I should make another question for this) How do I specify the ip addr of my computer, regardless of the network I'm connected to? – 0112 May 21 '14 at 01:48