Re: IPTables, IRC, and SSH
On Sat, Feb 03, 2001 at 12:38:47PM -0700, Troy Telford wrote:
> I would like to use the state-tracking for IRC, but simply having the
> --state established,related (and new... but I don't think that's
> necessary) --sport irc(d) options doesn't seem to do anything...
Correct, "NEW" is not necessary.
> I can connect TO the IRC server, but it won't allow a login. I've read
> that it has something to do with ICMP, but I don't know exactly what,
> nor how to fix it.
Possibly they ping your machine (regarding ICMP), though I've never
heard of that before. What is _more_ likely is that they require IDENT
support on your machine. If this is the case then you would need to run
an identd on your box... my recommendation would be oidentd (
http://ojnk.sourceforge.net/ , or the Debian package which is a little
bit old). Naturally you would also need to allow connections to this
daemon, so tcp INPUT NEW,ESTABLISHED and OUTPUT ESTABLISHED would need to
> Second - SSH - I would like iptables to accept incoming connections to
> OpenSSH, but from a specific domain (myschool.edu). However, I don't
> know the IP range for the domain, nor do I know how to set IPtables to
> allow connections from only that domain.
In short - you can't. You can pass hostnames to iptables, but it will
only match the results of a DNS lookup which may not include all the
remote addresses you want.
Your options are:
A- take the time to find out all the possible source addresses, and
allow connections from those;
B- use tcp_wrappers support with OpenSSH and use your
/etc/hosts.[deny|allow] to manage access to the service based on the
C- run OpenSSH under a superserver such as xinetd or inetd which has
tcp_wrappers support, and follow "B" above.
> So what commands do I need to use for SSH?
> (Again, with state tracking would be preferred).
As with identd, you will need to allow tcp INPUT NEW,ESTABLISHED and
OUTPUT ESTABLISHED to that port.