13,420
edits
Changes
no edit summary
#* '''Note:''' Use '''--jump''' or '''-j''' (<u>not</u> -g or --goto) to move to a target.
# Add a rule to your '''MYSSH''' chain to accept all traffic on your virtual interface from '''192.168.X.0/24''' (i.e. your internal network).
# Add rules a rule to the '''end of the MYSSH chain''' to drop all remaining '''ssh''' connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
#Remove the rule in your '''INPUT''' chain that was allowing all '''ssh''' traffic.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chain.<br /><br />Next we'll create a new chain to handle rules relating only to the '''ICMP''' protocol (ping):<br><br>
# Remove the rule in your '''INPUT''' chain that is allowing all '''icmp'''.
# Make a new chain named '''MYICMP'''.
# Add Insert a rule to the '''beginning of the INPUT chain''' to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find a partner and get the '''IP ADDRESS''' and '''MAC address''' of '''their''' '''external facing interface''' (should be an internal address beginning with '''10.x.x.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Add Insert a rule to the '''beginning of your '''MYICMPchain''' chain that denies '''ICMP pings''' originating with MAC address of your partner's machine.# Add Insert a rule to the '''beginning of your '''MYICMPchain''' chain that denies '''ICMP pings''' originating with IP address of your partner's machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Have your partner attempt to connect to your machine using the external facing address to ensure your rules are working.<br />They should not be able to connect, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains. Your system logs should also show their failed attempts to ssh to you.
