Stealthing Port 22 in iptables

Deron Meranda deron.meranda at gmail.com
Thu Apr 28 16:33:01 UTC 2005 

On 4/28/05, Roger Grosswiler <roger at gwch.net> wrote:
> Is this correct, that those rules just open port 22 for ip-adress
> 192.168.3.1 or 192.168.2.0/24, so this ip-adress(es) only can access
> ssh-services and the rest sees it as blocked?
> 
> iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> 192.168.3.1 --dport 22 -j ACCEPT

The rule is correct, but the -A means append the rule to the
end of the table.  The RH-Firewall-1-INPUT table probably
already has a last rule that rejects all traffic...so your appended
rule will be too late.

> Would this open it for a whole subnet 192.168.2.0/24?
> 
> iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> 192.168.2.0/24 --dport 22 -j ACCEPT

Yes, also correct with same caveat.

> ...and does a combination of both work? can i only start this with an
> additional shell-script, as if i would call system-config-securitylevel
> it would overwrite this config?

You can have both rules at the same time.

> This would be a good idea, having 'stealth port' clicked in
> system-config-securitylevel too...

The GUI doesn't support so-called "stealthed ports", which I suspect
you mean to be limited to specific source IP's or netblocks.

What you really want to do is to place any custom iptables rules
outside of the RH-Firewall* chains.  This way they won't confuse
the GUI with rules it doesn't understand, and the GUI won't
overwrite them.

What you probably want to do is to add those rule(s) to the
beginning of your INPUT chain; *before* the RW-Firewall* chain
is called.

  iptables -I INPUT 1 -s 192.168.2.0/24 -m tcp -p tcp --dport 22 \
     -m state --state NEW -j ACCEPT

(thats a -I (letter Eye), meaning to insert before rule # 1).

Then to make sure your changes stay permament (survive
reboots), just do

  iptables-save >/etc/sysconfig/iptables


Also, while you're at it and using ssh, you may want to
figure our how to use ssh keys, rather than passwords.
Then you can disable password-based access altogether
by changing PasswordAuthentication to "no" in the
/etc/ssh/sshd_config file.  By doing that you don't need to
worry about exposing port 22 nearly as much.

-- 
Deron Meranda

More information about the fedora-list mailing list