On 06/28/2016 04:17 AM, -G-@gospamyourself.com wrote:
> Hi,
> In the past I used a combination of hosts.allow and hosts.deny with a
> “FW_TRUSTED_NETS” variable specifying the computers ip addresses that were
> allowed to connect to another computer running the ssh service.
>
> Now I want to do the same, but I realised that 13.1 this does not work any
> more and read that a similar thing could be done with iptables.
Odd… you may want to check again. I’d be surprised if something like
that went away.
> I do not have experience with iptables and despite reading about it for 2
> days I am still confused on how to go about it.
With great power comes great responsibility (and complexity, moral or
technical depending on the number of spiders or chameleons involved).
> I wonder if anybody has specific hints on how to restrict ssh logging into a
> computer to two other computers.
>
> Assuming that the computers ip addresses are 1.2.3.4 and 5.6.7.8
> I read that this could be achieved with something like this:
>
> iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT
>
> iptables -A INPUT -p tcp -s 5.6.7.8 --dport 22 -j ACCEPT
>
> iptables -A INPUT -p tcp --dport 22 -j DROP
If these were your only rules, then that could be fine, as this says to
allow anything from 1.2.3.4 as well as 5.6.7.8 using TCP to destination
port 22, which is what you’re after as long as you have SSH on TCP 22 as
is default, and then it says to drop any SSH-ish stuff from anybody else
trying to reach TCP 22 (don’t forget about other ports).
> and then
>
> iptables-save
iptables-save is a great command to output the current firewall
configuration iptables commands. You can then write those to a file to be
re-read by iptables-restore, perhaps at boot time, but do not be confused
into thinking this is ever done for you because it is not.
> My questions are:
>
> 1. Is the above correct?
Depends on your goals. Yes, the commands work, and no they are not
persistent.
> 2. Where is the result stored, in case I make an error or want to edit
> something or revert to the original state?
In memory, or from the iptables-save output, on your screen.
> 3. Is there a better way of doing the above?
Good question, and maybe the best one overall. More history:
SUSE has its own firewall configuration magic under the hood and unless
you work with it you need to disable it or you will be fighting a battle
forever. The SuSEfirewall2 (the name of the firewall service) service
starts and stops with the system and has a nice Yast-powered interface to
do various configuration things. It is integrated with the system so it
knows when the network starts/stops (you change locations with your
laptop, for example, or you change from wireless to physical NIC, or you
restart, or start up VMs in KVM or Xen, or… you get the idea). It also
keeps track of different zones (external, internal, DMZ) if you want to,
which is neat if you want it.
In your case I would recommend using the SuSEfirewall2 service, but then
modifying it to allow specific systems to do specific things. For now, go
into Yast (sudo /sbin/yast firewall) and then go to ‘Custom Rules’ and see
if you can add your two IP addresses there as allowed to access TCP 22.
The source IPs will be 1.2.3.4/32 and 2.3.4.5/32 and then you can set them
to be allowed, probably on the External (default) zone.
Save, quite, and now see what you see different from the following command:
sudo /usr/sbin/iptables-save
If nothing else, this will help you learn how the iptables commands work.
If you really want to create a firewall from scratch, there are articles
on that which are really good and SUSE-focused, but I do not think it is
worth it for you since you want a little bit of tweaking, not a completely
new firewall service.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…