Re: easiest way to shut down all network services besides ssh?
Hi.
On Thu, 18 Dec 2014 12:35:31 +0100
Mart van de Wege <mvdwege@gmail.com> wrote:
> Reco <recoverym4n@gmail.com> writes:
>
> > Hi.
> >
> > On Thu, Dec 18, 2014 at 10:39:18AM +0100, Mart van de Wege wrote:
> >> Britton Kerin <britton.kerin@gmail.com> writes:
> >>
> >> > I have a system that I would like to make accessible only by ssh.
> >> >
> >> > No apache telnet ftp anything else.
> >> >
> >> > What is the easiest way to achieve this? It came from a vendor with
> >> > a slew of package of all sorts, so I don't even know everything that
> >> > I want to remove.
> >> >
> >> Simplest solution is to use iptables to reject all traffic except for
> >> port 22:
> >>
> >> iptables -I INPUT -p tcp --dport 22 -j ACCEPT
> >> iptables -P INPUT DROP
> >>
> >> Of course, this depends on none of the shell users having root access.
> >
> > The simplest *working* solution is to use iptables this way:
> >
> > iptables -F INPUT
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A INPUT -p icmp -j ACCEPT
> > iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT
> > iptables -P INPUT DROP
> > iptables -F OUTPUT
> > iptables -P OUTPUT ACCEPT
> >
> >
> > Your rules will block anything on the interface lo and outbound traffic,
> > which is just asking for all kinds of trouble. And blocking icmp is just
> > rude ;)
>
> Heh. You're right about the lo blockage, I keep forgetting that
> everytime I write iptables rules.
Oops. I forgot about this one:
iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
> Outbound traffic is not necessary, surely? The answers of the box to
> incoming ssh packets still count as part of the INPUT stream.
Not unless you use '-m conntrack --ctstate NEW'. And (see below) not
unless you'll want to limit all new outbound connections to ssh only.
> The
> RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that
> like to open new outbound connections in response to inbound requests.
Not quite true. You forgot to take into account good old DNS, for
example. Now, sure, DNS *is* stupid, but sshd relies on it to some
extent. Or, say, NTP, which is UDP-based too.
Besides, OP may need to establish new outbound connections from his
host. This:
iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
will allow such connections without the need to punch multiple holes in
the INPUT chain.
> Then again, chain OUTPUT defaults to ACCEPT anyway.
True. But, just to be on the safe side, I'd add '-P ACCEPT' to OUTPUT
too.
Reco
Reply to: