[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: easiest way to shut down all network services besides ssh?



 Hi.

On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote:
> Britton Kerin <britton.kerin@gmail.com> writes:
> 
> > I have a system that I would like to make accessible only by ssh.
> >
> > No apache telnet ftp anything else.
> >
> > What is the easiest way to achieve this?  It came from a vendor with
> > a slew of package of all sorts, so I don't even know everything that
> > I want to remove.
> >
> Simplest solution is to use iptables to reject all traffic except for
> port 22:
> 
> iptables -I INPUT -p tcp --dport 22 -j ACCEPT
> iptables -P INPUT DROP
> 
> Of course, this depends on none of the shell users having root access.

The simplest *working* solution is to use iptables this way:

iptables -F INPUT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT
iptables -P INPUT DROP
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT


Your rules will block anything on the interface lo and outbound traffic,
which is just asking for all kinds of trouble. And blocking icmp is just
rude ;)

Reco


Reply to: