Block all ports except SSH on a specific network card
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have 2 network cards, I need one of them to be used for work and the other is an open public network.
I'd like to use the work network card for ssh only:
hutber@hutber-blade ~ $ sudo iptables -S | grep enx9cebe863eaa8
-A INPUT -i enx9cebe863eaa8 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i enx9cebe863eaa8 -p tcp -m tcp --dport 22 -j
I have setup the following rules, but once I enable enx9cebe863eaa8
all network traffic goes through this card.
ssh networking network-interface
add a comment |Â
up vote
1
down vote
favorite
I have 2 network cards, I need one of them to be used for work and the other is an open public network.
I'd like to use the work network card for ssh only:
hutber@hutber-blade ~ $ sudo iptables -S | grep enx9cebe863eaa8
-A INPUT -i enx9cebe863eaa8 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i enx9cebe863eaa8 -p tcp -m tcp --dport 22 -j
I have setup the following rules, but once I enable enx9cebe863eaa8
all network traffic goes through this card.
ssh networking network-interface
That second rule would match tcp/22 on all other interfaces, but you're missing the argument to-j
. You'd needDROP
(orREJECT
) on the same interface to block everything else. And routes set up sanely for the communication to work. Do you have that already in place, or setting up the routing part of the question?
â ilkkachu
Jul 4 at 16:55
1
there is a listen adress in sshd_config which restrict sshd ot listen only in that IP.
â Archemar
Jul 4 at 17:26
Thanks @Archemar I always thought the sshd configListenAddress
would mean that ssh can't use any other IP, but I didn't realise it blocked theIP
from using any other ports as well. If I understand you correctly?
â Jamie Hutber
Jul 5 at 10:26
yesListenAddress 192.168.100.100
will listen only on this IP, incomming ssh connection to 192.168.1.100 on same host will be droped by inetd (not sshd). You won't be able to ssh localhost either. (this might or might not be an indrance, but can be usefull to test)
â Archemar
Jul 5 at 11:07
Thanks again Arch. I still think you mis understand me. Please confirm back lol because I am confused. When I useListenAddress 192.168.100.100
in myssh/config
file.192.168.100.100
will ONLY be able to use port 22 and NO other ports?
â Jamie Hutber
Jul 6 at 9:17
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have 2 network cards, I need one of them to be used for work and the other is an open public network.
I'd like to use the work network card for ssh only:
hutber@hutber-blade ~ $ sudo iptables -S | grep enx9cebe863eaa8
-A INPUT -i enx9cebe863eaa8 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i enx9cebe863eaa8 -p tcp -m tcp --dport 22 -j
I have setup the following rules, but once I enable enx9cebe863eaa8
all network traffic goes through this card.
ssh networking network-interface
I have 2 network cards, I need one of them to be used for work and the other is an open public network.
I'd like to use the work network card for ssh only:
hutber@hutber-blade ~ $ sudo iptables -S | grep enx9cebe863eaa8
-A INPUT -i enx9cebe863eaa8 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT ! -i enx9cebe863eaa8 -p tcp -m tcp --dport 22 -j
I have setup the following rules, but once I enable enx9cebe863eaa8
all network traffic goes through this card.
ssh networking network-interface
asked Jul 4 at 15:57
Jamie Hutber
931212
931212
That second rule would match tcp/22 on all other interfaces, but you're missing the argument to-j
. You'd needDROP
(orREJECT
) on the same interface to block everything else. And routes set up sanely for the communication to work. Do you have that already in place, or setting up the routing part of the question?
â ilkkachu
Jul 4 at 16:55
1
there is a listen adress in sshd_config which restrict sshd ot listen only in that IP.
â Archemar
Jul 4 at 17:26
Thanks @Archemar I always thought the sshd configListenAddress
would mean that ssh can't use any other IP, but I didn't realise it blocked theIP
from using any other ports as well. If I understand you correctly?
â Jamie Hutber
Jul 5 at 10:26
yesListenAddress 192.168.100.100
will listen only on this IP, incomming ssh connection to 192.168.1.100 on same host will be droped by inetd (not sshd). You won't be able to ssh localhost either. (this might or might not be an indrance, but can be usefull to test)
â Archemar
Jul 5 at 11:07
Thanks again Arch. I still think you mis understand me. Please confirm back lol because I am confused. When I useListenAddress 192.168.100.100
in myssh/config
file.192.168.100.100
will ONLY be able to use port 22 and NO other ports?
â Jamie Hutber
Jul 6 at 9:17
add a comment |Â
That second rule would match tcp/22 on all other interfaces, but you're missing the argument to-j
. You'd needDROP
(orREJECT
) on the same interface to block everything else. And routes set up sanely for the communication to work. Do you have that already in place, or setting up the routing part of the question?
â ilkkachu
Jul 4 at 16:55
1
there is a listen adress in sshd_config which restrict sshd ot listen only in that IP.
â Archemar
Jul 4 at 17:26
Thanks @Archemar I always thought the sshd configListenAddress
would mean that ssh can't use any other IP, but I didn't realise it blocked theIP
from using any other ports as well. If I understand you correctly?
â Jamie Hutber
Jul 5 at 10:26
yesListenAddress 192.168.100.100
will listen only on this IP, incomming ssh connection to 192.168.1.100 on same host will be droped by inetd (not sshd). You won't be able to ssh localhost either. (this might or might not be an indrance, but can be usefull to test)
â Archemar
Jul 5 at 11:07
Thanks again Arch. I still think you mis understand me. Please confirm back lol because I am confused. When I useListenAddress 192.168.100.100
in myssh/config
file.192.168.100.100
will ONLY be able to use port 22 and NO other ports?
â Jamie Hutber
Jul 6 at 9:17
That second rule would match tcp/22 on all other interfaces, but you're missing the argument to
-j
. You'd need DROP
(or REJECT
) on the same interface to block everything else. And routes set up sanely for the communication to work. Do you have that already in place, or setting up the routing part of the question?â ilkkachu
Jul 4 at 16:55
That second rule would match tcp/22 on all other interfaces, but you're missing the argument to
-j
. You'd need DROP
(or REJECT
) on the same interface to block everything else. And routes set up sanely for the communication to work. Do you have that already in place, or setting up the routing part of the question?â ilkkachu
Jul 4 at 16:55
1
1
there is a listen adress in sshd_config which restrict sshd ot listen only in that IP.
â Archemar
Jul 4 at 17:26
there is a listen adress in sshd_config which restrict sshd ot listen only in that IP.
â Archemar
Jul 4 at 17:26
Thanks @Archemar I always thought the sshd config
ListenAddress
would mean that ssh can't use any other IP, but I didn't realise it blocked the IP
from using any other ports as well. If I understand you correctly?â Jamie Hutber
Jul 5 at 10:26
Thanks @Archemar I always thought the sshd config
ListenAddress
would mean that ssh can't use any other IP, but I didn't realise it blocked the IP
from using any other ports as well. If I understand you correctly?â Jamie Hutber
Jul 5 at 10:26
yes
ListenAddress 192.168.100.100
will listen only on this IP, incomming ssh connection to 192.168.1.100 on same host will be droped by inetd (not sshd). You won't be able to ssh localhost either. (this might or might not be an indrance, but can be usefull to test)â Archemar
Jul 5 at 11:07
yes
ListenAddress 192.168.100.100
will listen only on this IP, incomming ssh connection to 192.168.1.100 on same host will be droped by inetd (not sshd). You won't be able to ssh localhost either. (this might or might not be an indrance, but can be usefull to test)â Archemar
Jul 5 at 11:07
Thanks again Arch. I still think you mis understand me. Please confirm back lol because I am confused. When I use
ListenAddress 192.168.100.100
in my ssh/config
file. 192.168.100.100
will ONLY be able to use port 22 and NO other ports?â Jamie Hutber
Jul 6 at 9:17
Thanks again Arch. I still think you mis understand me. Please confirm back lol because I am confused. When I use
ListenAddress 192.168.100.100
in my ssh/config
file. 192.168.100.100
will ONLY be able to use port 22 and NO other ports?â Jamie Hutber
Jul 6 at 9:17
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f453453%2fblock-all-ports-except-ssh-on-a-specific-network-card%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
That second rule would match tcp/22 on all other interfaces, but you're missing the argument to
-j
. You'd needDROP
(orREJECT
) on the same interface to block everything else. And routes set up sanely for the communication to work. Do you have that already in place, or setting up the routing part of the question?â ilkkachu
Jul 4 at 16:55
1
there is a listen adress in sshd_config which restrict sshd ot listen only in that IP.
â Archemar
Jul 4 at 17:26
Thanks @Archemar I always thought the sshd config
ListenAddress
would mean that ssh can't use any other IP, but I didn't realise it blocked theIP
from using any other ports as well. If I understand you correctly?â Jamie Hutber
Jul 5 at 10:26
yes
ListenAddress 192.168.100.100
will listen only on this IP, incomming ssh connection to 192.168.1.100 on same host will be droped by inetd (not sshd). You won't be able to ssh localhost either. (this might or might not be an indrance, but can be usefull to test)â Archemar
Jul 5 at 11:07
Thanks again Arch. I still think you mis understand me. Please confirm back lol because I am confused. When I use
ListenAddress 192.168.100.100
in myssh/config
file.192.168.100.100
will ONLY be able to use port 22 and NO other ports?â Jamie Hutber
Jul 6 at 9:17