-3

I wouldn't even consider myself an iptables novice user, so I was wondering if someone could please help me to do this:

I want to be able to ssh into one of my servers using the eth0 network card. All other traffic should use the eth1 network card. Under no circumstances should anything other than ssh traffic go through eth0.

I think this is "easy", but I'm finding it hard to search for a solution.

Can someone please share their expertise?

As per request to detail the network topology:

eth0 and eth1 are exposed to the company network and can access the internet.

eth0 is fixed ip (with a hostname - convenient to ssh in to). eth1's IP address changes as it is assigned dynamically by the company DHCP server.

Eamorr
  • 616
  • 5
  • 14
  • 27
  • Iptables isn't hard. Maybe you should explain the situation and people can design an iptables rule for you. – Halfgaar Sep 29 '14 at 11:19
  • Please add network topology, where each network is connected, IP addresses, the default gateway, etc. Not enough information to give you any advice. – gtirloni Sep 29 '14 at 11:26
  • 1
    Do you understand that there can be only one default route for a server? And serving IPs from same subnet over 2 cards is really complicated and most of the time not worth the trouble? – Kazimieras Aliulis Sep 29 '14 at 12:56
  • 1
    Why do you need that dhcp address at all? – Kazimieras Aliulis Sep 29 '14 at 12:57
  • This is really not an `iptables` question. This is a routing question. With properly configured routing, you should be able to achieve this without needing any `iptables` rules. However in order to properly answer your question we need to know more about your routing. First of all, why are you using two interfaces instead of assigning two IPs to a single interface? – kasperd Oct 01 '14 at 11:14

1 Answers1

3

For eth0 (I guess you are running the SSH daemon on port 22 - change appropriately if my guess is wrong):

iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 22 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp -j DROP

The first rule means to allow all packets that belong to established connections. The second rule means that TCP connections on port 22 are okay. The third rule discards any other packets.

In /etc/ssh/sshd_config you should limit the address(es) that the ssh daemon listens to, to the one from eth0 to avoid connections via eth1. For instance:

ListenAddress 192.168.1.1
ListenAddress 2001:0db8:0:1::1
Michael Kremser
  • 108
  • 1
  • 3
  • 11
  • This is a good solution and solves my problem in a way that I didn't imagine. Thank you so much! – Eamorr Sep 29 '14 at 15:28
  • So when I open Firefox, and go to http://whatismyipaddress.com/ it's still giving me the eth0 address... I'm using fail2ban and ufw, so it probably complicates matters... – Eamorr Sep 30 '14 at 08:58
  • 1
    @Eamorr: You're talking about data that goes outside from the interface, which is another story. How does the routing work? You either have to modify the routes and tell iptables not to route anything via eth0 or, if you use NAT/PT, choose the correct interface (i.e. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE instead of iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE). – Michael Kremser Oct 01 '14 at 15:08