General :: Iptables Restrict Ssh Session By Mac Address?
May 24, 2011
I'm in the process of restricting access to my Linux production box, where ssh access needs to be limited to only a few MAC addresses.I've followed the instructions outlined in this guide and ran the following two commands:
/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
root@xxxx:~/#: iptables --list
[code]....
View 3 Replies
ADVERTISEMENT
Feb 6, 2010
I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.
Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.
Code:
Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.
Code:
Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?
I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.
I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.
View 7 Replies
View Related
Jun 30, 2010
I am currently in a project to set up an LTSP server with 10 thin clients. I am using Ubuntu 9.10 (Karmic).
Installing server and booting clients are working fine. Now, according to the need, I have to restrict user session numbers and allow resuming previous user session.
I have achieved to do the first one, but still could not able to setup the second one. As per requirement, if some thin can have power failure, the same session should be restored back. I am confused here, if I need to focus on saving xsessions or saving gnome sessions. I am looking for a concrete solution as I am running out of time.
View 1 Replies
View Related
Oct 22, 2009
I want restrict telnet session to users.
That means the client login one user at a time. not multiple login.
For example:
I want restrict this. How to restrict one user to use multiple login.
View 4 Replies
View Related
Sep 17, 2010
I'd like to use tc and iptables to restrict the download speed. I understand this is know as policing. Are there some resources I could use to learn how to do this? I want to restrict on a per ip basis.
View 1 Replies
View Related
Aug 3, 2011
I have a server located remotely that I'd like to protect by allowing access to only my IP address (on any port). Currently anyone can access the server using ssh, http, and any other services that my server is running. (The reason I need to protect it for now is that it's a test/development server and really only needs to be accessed by me.)
The downside of doing this is every time my desktop IP address changes (from where I access the remote server), I would need to update the iptables configuration. (This could be a hassle, but based on my limited knowledge it seems to be the best way to allow access from only myself.)
Could anyone share how to allow access to my server using iptables from only my IP address and on any port?
View 4 Replies
View Related
Feb 17, 2010
I have one Linux PC installed with Suse 11.1. In this I have created three users to get access.
Users able access their login from Windows PC via some utilities.
1. Putty
2. Xming
Users able login using both. With Putty there is no GUI. But with Xmings XLaunch they are able to get similar session as Linux Host PC. At this point of time the host linux PC will become too slow in perfarmance.
How to retrict the users not to open similar session by enablin/disabling some setting in Linux PC?
View 2 Replies
View Related
Feb 26, 2010
Is it possible to restrict root logons to the SSH server to just a single ip address (or maybe a range?) I have other users connecting to the server daily so restricting ALL access to a single ip i cannot do. I need root enabled (for my own reasons) but want to lock it down a bit more.
View 9 Replies
View Related
Jul 29, 2010
I want to restrict the access to my local web server by IP address. Im in a LAN (192.168.200.xx) so i have this:
[code]....
But when i try to connect from 192.168.200.4 it says i don't have permission to access
View 1 Replies
View Related
Nov 3, 2010
Take this scenario If I have rate limited the connections to 4.(i.e if you attempt 4th connection you wont be able to login for some time.) If in a minute I get disconnected 3 times while I was already logged in on the server with a screen session, will I be able to login or I need to keep quite for a minute?
Quote:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
View 5 Replies
View Related
Nov 11, 2010
How can I add ip address which is multiple of 3 and to 255? That is I want to block ip address which is coming from multiple of 3 to 255.
As an example 192.168.0.3,192.168.0.6,192.168.0.9,192.168.0.12 etc.
View 4 Replies
View Related
Jan 12, 2011
I use Debian Squeeze with Banshee 1.6.1 and I'm having a problem with some commands in Banshee via terminal:
$ banshee --play
$ banshee --stop
$ banshee --next
$ banshee --previous
Instead of changing the playback, these commands open a new Banshee window, and then I get 2 banshee processes running. I tried to get some help in Banshee's forum, and they said it's a problem with Dbus, more specifically, the variable DBUS_SESSION_BUS_ADDRESS is not set. If I run the following command, I get an empty line:
login@host:~$ echo $DBUS_SESSION_BUS_ADDRESS
login@host:~$
I searched in google and I found some solutions that worked for other distros, but in Debian they are not working.
View 2 Replies
View Related
Jul 24, 2010
i need to open this address ftp.nai.com, is there a way to use address not ip in iptables?
View 7 Replies
View Related
Jun 9, 2009
i am using openssh 5.2-p1, i want to restrict user "admin" to login to the server from a specific IP address, for this purpose i have tried the following blocks in sshd_config file.Following is the part of the sshd_config file which i have modified
#The following commands will only allow specific IP to login to ssh.
#AllowUsers admin user1 user2
#AllowGroups
# override default of no subsystems.Subsystem sftp internal-sftp
Match Group sftpgroup
ChrootDirectory /home
AllowTCPForwarding no[code].....
i want to restrict admin user to login to the server only from 172.16.100.221 IP which can be done by using AllowUser line, but i dont want to use AllowUser line,
View 1 Replies
View Related
Apr 15, 2009
I have three machines on three networks192.x.x.x10.x.x.x172.x.x.xThe routers are set to forward communication between 192. network and 10. network, and between the 10. network and the 172. network.However, there's not routing between 192. and 172.I want to fix that by using a machine on the 10. network to forward communication between the other two networks.The machine has one etherent connection eth0 whose address is 10.1.1.11I set up an aliased ip address eth0:0 to be 10.1.1.12 using Quote:ifconfig eth0:0 10.1.1.12Then I tried to set forwarding rules the 10. machine such that 10.1.1.12 address will provide access to the machine 172.1.1.55 as followsQuote:# iptables -t nat -A PREROUTING -d 10.1.1.12 -j DNAT --to-destination 172.1.1.55The default policies for all chains is ACCEPT.I then try to access 10.1.1.12 from 192.1.1.20 expecting it to actually access 172.1.1.55 ; it does not work
View 3 Replies
View Related
Mar 30, 2009
I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:
Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP
...
$IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?
View 4 Replies
View Related
Jun 29, 2011
I have UBUNTU server 10.04 LTS with 3 NIC "eth0" local and eth1,2 as internet connection and it acts as firewall, http proxy and samba file server ,I installed Zentyal panel manager for my server for easier management I did not configure any specific rule for my firewall but I have some problem with my clients who wants to connect to my server as gateway or as file server even my self experienced these problems too. these problems are as follow:
1. some time for a few minutes (maximum 10 minutes) my server block some of my clients to access it or internet but just for minutes but it is very annoying.
2. all of my clients those who login to an https servers or login to their mail or those who has some software like team viewer say that they are logging out from their session randomly I mean some of them logging out from their mail(yahoomail or googlemail ) or disconnecting from teamviewer connection or as I saw team viewer disconnecting for a few seconds and then comes back again. but I did not set any thing in my firewall or other services. this is my complete iptable rules:
View 9 Replies
View Related
Mar 31, 2009
I need to know what the Iptables "code" is to change the outgoing/Incoming IP for port 53 (DNS). I'm running CentOS on a dedicated server. I very familiar with Putty and SSH. So I don't need much details, I just can't figure this out. I asked my server providor but they deleted my ticket and didn't answer me.I tried this but am not sure if this correct of working?
View 5 Replies
View Related
Oct 25, 2010
Here is a glimpse of my IPTABLES
http://pastebin.com/WvHAC46A
I see in the column of sources the addresses being resolved to domain names is there a way I can stop this?
View 4 Replies
View Related
Jun 19, 2011
how to redirect network traffic to a new IP address using IPtables. I am using Baffalo router and the rtos used is DD-WRT. Basically, I want it so that any connection going through my router to a specific IP (say, 192.168.11.5) will be redirected to another IP (say, 192.168.11.7) so any outgoing connections made by a program that is attempting to connect to192.168.11.5 will instead connect to 192.168.11.7.
View 2 Replies
View Related
Jun 20, 2009
i was trying to crate a script to show the last time iptables had seen a given IP address (contained in the ipt_recent kernel hook -- my user-defined table name is 'iplist'). The ipt_recent table yields the following information (IPv4 addresses masked for paranoid reasons):
Code:
src=www.xxx.yyy.zzz ttl: 114 last_seen: 9355600126 oldest_pkt: 1 9355600126
src=www.xxx.yyy.zzz ttl: 109 last_seen: 10020040763 oldest_pkt: 1 10020040763
src=www.xxx.yyy.zzz ttl: 111 last_seen: 8106864077 oldest_pkt: 3 8103790647, 8106530788, 8106864077
src=www.xxx.yyy.zzz ttl: 109 last_seen: 9937861664 oldest_pkt: 1 9937861664
src=www.xxx.yyy.zzz ttl: 115 last_seen: 8244867102 oldest_pkt: 1 8244867102
The attempted command used was:
Code:
cat /proc/net/ipt_recent/iplist | awk '{print ($1 ,system("date -d @" $5));}'
Such command yields the following (I'm willing to live with the trailing zero):
Code:
Wed Jun 20 05:48:46 EDT 2266
src=www.xxx.yyy.zzz 0
[code]....
I presume the ipt_recent table uses the standard UNIX epoch timestamp. Am I using the date command syntax incorrectly, is this a 32-bit vs 64-bit break, or it is something else? Please note that I am using FC10, and I have double-checked my system clock settings (both BIOS and OS). The system has only been running during 2009 (no reboot yet).
View 2 Replies
View Related
Jul 8, 2011
My ISP offers the service of native IPv6. So my ADSL router provides me with a local and global IPv6 address. However after a reboot it takes minutes to finally see the global address when using "ifconfog eth0". During that time I can't do a ping6 to an external server, which seems logical. So I waited several minutes, but no global address. After that I started a KDE session, went back to the console(<Ctrl>+<Alt>+F1) and now the global address was there. Is this normal behavior or should I file bug report?
View 6 Replies
View Related
Sep 17, 2010
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
[code]....
View 6 Replies
View Related
Feb 20, 2010
I'm using a Debian servers, as router/firwall.. I've two ethernet interfaces into the server, one for wan and one for lan. The i use SNAT so my LAN clients can access the internet throgh the debian router. That is working... Now i want to be able to access servers on the LAN site from the WAN site, and i wanna use port address translation (PAT). I have a FTP server running on a lan server, so i'm trying to portward port 21.
iptables -t nat -A PREROUTING -p tcp -i eth1 -d (WANIP) --dport 21 -j DNAT --to 192.168.1.2:21
When people try to access my FTP from the WAN site, they are redirected to the local FTP server, and they are promted for crendentials, but when the credentials are typed, and the local ftp server should answer the wan request, the connections dies.
The wan clients are being promted for credentials, so they are redirected to the local lan server, but after that the connections dies, so i think there is some kind of nat problem, when the local lan server is trying to respond to the wan request..
Here i my iptables script:
#flush table
iptables -F
#input regler
[code]....
View 6 Replies
View Related
May 11, 2010
Info about session timeout.
I use tmout = 15 min in my /etc/profile (along with readonly tmout). i have some issues i need to address, looking for ideas.
1. what is considered a idle "session" ?
2. if i & a process to the background and do nothing is this a idle session?
3. if user uses su to a higher level, are there now two sessions? is the tmout for user suspended until su user time outs or leaves su session?
4. i have some users who will run long sql queries. is there a workaround to have the session remain active until process has finished?
View 3 Replies
View Related
Jul 20, 2011
what is Production IP address and Management IP address in Linux servers? What is the significance of these two? When to use what?
View 3 Replies
View Related
Apr 13, 2010
How can I get the physical address corresponding to a virtual address in linux by using /proc file system
View 1 Replies
View Related
Nov 22, 2010
Suppose that some person is insomniac because of a bad habit of chatting on the IRC every night until 3AM. That completely ruins this person's life because he is unable to wake up on time to attend his exams, because he will be fully exhausted everyday and will feel depressive.
That person is conscious of this bad behaviour, and would accept any help including installing a software on his own computer granting me admin privileges to install it.
Do you know of such a software that ideally would: Would prevent use of the computer at certain time ranges, let's say 11PM — 6AM Would gracefully shutdown the computer at the beginning of that time range (not killing all the applications brutally), and shutdown it if the user attempts to switch it back on Would warn 10 minutes beforehand Could occasionally be disabled if I give a one-time password to that person?
That person uses Linux, and I am curious of knowing what is available for that purpose. It is kind of a parental control, but not for a child.
View 2 Replies
View Related
Jul 19, 2010
im REALLY new with linux and ive downloaded and installed Ubuntu...now heres the question.how do i set up WLAN internet use? ive tried using ipconfig/all on windows command but im not sure which info to use where save for the Physical Address going towards the MAC Address info
View 14 Replies
View Related
Sep 15, 2011
Under Linux, I would like to be able to launch anything from command line in a "safe" environment, i.e. be assured that it can't read or write any file on my computer, and even better if it couldn't access the network.I thought about creating a user with reading rights only in the current folder (and nowhere else), and su to this user to launch the command, would this work ? And what about the network ?
View 2 Replies
View Related