Michael Klinosky wrote:
Rick:
If you only want to allow incoming ssh sessions from that address
block, use iptables and insert a rule:
-A INPUT -p tcp -m tcp -s 200.100.0.0/16 --sync --dport 22 -j ACCEPT
and make sure the last rule is something like:
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
to drop any other connection attempts other than the ones allowed above
it.
How does this differ from the hosts.allow & hosts.deny method?
Not by a whole lot looking at the end result. It's perfectly possible
to use the hosts.* files. I personally feel safer with iptables knowing
it works for every program on the computer, while the hosts.* files only
work for programs which are tcpwrappers aware (iptables works with the
kernel's tcp stack and can control connections at a low level, while the
deny.* controls are implemented within each program/daemon).
Justin:
If you would be able to tell us which ISP you have, you may be able to
narrow down the address range even more.
I know about whois.org - so I tried it. I had to delve a bit to get the
detailed info, but found the range. There is a CIDR - is that what I
want? It's narrowed down to /21.
Yes. CIDR stands for Classless Interdomain Routing. It allows for
network masks to go beyond the original Class A, B, C, etc addresses.
By using CIDR, it is possible to use the internet address space more
efficiently, and waste less addresses when different networks are
needed. With 5 bits borrowed from the Class B address, there's a
possibility of 32 (2**5) different address ranges which you could be
part of. Each network can only have 2048 hosts (down from a Class B's
65536), an impressive 96.875% reduction.
I've constructed a listing of the different address ranges which are
possible in your situation. All you need to do is dial-up the client,
get it's current IP address, and find which range it falls in. Then in
the iptables (or hosts.allow) line below the table, replace the network
address with the one you selected from the list (e.g. 200.100.48.0 if
your IP is 200.100.51.192):
200.100.0.0-200.100.7.255 | 200.100.128.0-200.100.131.255
200.100.8.0-200.100.15.255 | 200.100.132.0-200.100.143.255
200.100.16.0-200.100.23.255 | 200.100.144.0-200.100.151.255
200.100.24.0-200.100.31.255 | 200.100.152.0-200.100.159.255
200.100.32.0-200.100.39.255 | 200.100.160.0-200.100.167.255
200.100.40.0-200.100.47.255 | 200.100.168.0-200.100.175.255
200.100.48.0-200.100.55.255 | 200.100.176.0-200.100.183.255
200.100.56.0-200.100.63.255 | 200.100.184.0-200.100.191.255
200.100.64.0-200.100.71.255 | 200.100.192.0-200.100.199.255
200.100.72.0-200.100.79.255 | 200.100.200.0-200.100.207.255
200.100.80.0-200.100.87.255 | 200.100.208.0-200.100.215.255
200.100.88.0-200.100.95.255 | 200.100.216.0-200.100.223.255
200.100.96.0-200.100.103.255 | 200.100.224.0-200.100.231.255
200.100.104.0-200.100.111.255 | 200.100.232.0-200.100.239.255
200.100.112.0-200.100.119.255 | 200.100.240.0-200.100.247.255
200.100.120.0-200.100.127.255 | 200.100.248.0-200.100.255.255
iptables -A INPUT -p tcp --dport 22 -s 200.100.0.0/21 -j ACCPET (with a
drop policy)
sshd: 200.100.0.0/255.255.248.0 (hosts.allow)
sshd: ALL (hosts.deny)
Justin W