Blocking SSH access to a particular PC with iptables

Q I'm configuring a firewall that's got an eth0 link to the internet and an eth1 link to an internal subnet (172.16.2.0). I've put in the following rule to stop all SSH access to a PC (172.16.2.120) on the subnet via the firewall, thus:

iptables -A FORWARD -p
tcp -s 0/0 -d 172.16.2.120
--dport 22 -j DROP

However, this rule is still allowing other PCs on the subnet to connect to the PC. I've also tried the following rules, and even gone to the point of specifying an individual source PC on the subnet, dropping all SSH traffic to the destination PC and changing the FORWARD policy to DROP.

iptables -A FORWARD -p tcp -s172.16.2.0/24 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -s172.16.2.220 -d 172.16.2.120 --dport 22 -j DROP
iptables -A FORWARD -p tcp -d 172.16.2.120 --dport 22 -j DROP
iptables -P FORWARD DROP

Yet I can still contact the destination PC from another PC on the subnet. I've read and read and read till I'm blue in the face, and can't for the life of me figure out why this isn't working.

A As you are SSH-ing between two systems on a local network, you won't route across your firewall for this access. Thus, the packets will never be inspected by the firewall. If you want to block SSH access, you will have to set a firewall up on the SSH server to block traffic itself. Another option if you have a spare NIC is to split the network into two sections and bridge the two using the bridge-utils package in Linux. You will hen be able to perform packet filtering on the firewall for traffic that goes between the two LAN segments, even though the packets are not actually routed. Lots of information on his configuration can be found at http://bridge.sf.net.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar