On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote: > Ashley M. Kirchner wrote: > > Mike Wright wrote: > > > >> Allow your subnets before the above rules. Here's a sample rule: > >> > >> -A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT > >> # subnet ^^^^^^^^^^^ > >> > >> You'd need one rule for each subnet. > >> > >> hth > > > > > > Awesome Mike, that worked like a charm. Thanks! > > Very welcome. > > > > Somewhat related question: would the same rules work for ftp attacks > > as well? Obviously replacing the port number with 21, but would they > > work? Duplicate the lines, replace port and hope that ftp also gets > > curbed the same way? > > > > I think so. I know that there are connection tracking issues with ftp > but I don't think that applies here. Each connection starts with an > initial NEW packet. > You need a 'stateful' rule and both tcp ports 20 and 21 opened for your network (or at least 21, depending on how your ftp server is configured). I'll explain why: when client initiate connection to ftp server it will get back an high number port on which it will transfer the data, therefore it will initiate a new connection on that port. The new port number is random, so you cannot possibly now it. However, this connection is not entirely new: it will be related to the first connection on port 21. So the rule would need to be something like: -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT But, since you are using ssh, I suggest start using also sftp for file transfer: much more secure, encrypted, no plain text passwords and only tcp port 22 opened in firewall. Calin Cosma ================================================= It may be bad manners to talk with your mouth full, but it isn't too good either if you speak when your head is empty.