Re: easiest way to shut down all network services besides ssh?
Hi.
On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote:
> Britton Kerin <britton.kerin@gmail.com> writes:
>
> > I have a system that I would like to make accessible only by ssh.
> >
> > No apache telnet ftp anything else.
> >
> > What is the easiest way to achieve this? It came from a vendor with
> > a slew of package of all sorts, so I don't even know everything that
> > I want to remove.
> >
> Simplest solution is to use iptables to reject all traffic except for
> port 22:
>
> iptables -I INPUT -p tcp --dport 22 -j ACCEPT
> iptables -P INPUT DROP
>
> Of course, this depends on none of the shell users having root access.
The simplest *working* solution is to use iptables this way:
iptables -F INPUT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT
iptables -P INPUT DROP
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
Your rules will block anything on the interface lo and outbound traffic,
which is just asking for all kinds of trouble. And blocking icmp is just
rude ;)
Reco
Reply to: