 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Kent Borg wrote:
>On Sun, Nov 20, 2005 at 06:54:44PM -0500, David Kramer wrote:
>
>
>>That's a lot more iptables-fu than I have right now, and I
>>absolutely refuse to install iptables rules I don't understand just
>>because "I found them on the internets".
>>
>>
>
>Dang. I keep trying to get someone to install/figure our those
>iptables rules before I do, and no one I know will bite.
>
>
>
>>I will attempt to understand them, though. Thanks.
>>
>>
>
>Let us know if you do.
>
>-kb
>
Here's my policy:
iptables -A INPUT -s 172.19.213.0/24 -p tcp --dport 22 -j ACCEPT
The input default is DENY: this rule allows only traffic from my
internal network.
N.B.:
1. It's easy to write the rule to cover a range of IP's - and you'll be
amazed at how
few ranges you'll need to cover your likely access points and/or
your friends,
even if they use dialup.
2. As others have said, it's better to use key-based authentication than
to use
passwords. You KNOW they can't guess your key.
3. I prefer to block all RIPE and APNIC IP addresses; it simplifies the
process
a lot and I don't expect to log in from those regions anytime soon.
BIll
--
E. William Horne
William Warren Consulting
Computer and Network Installation & Service
http://www.billhorne.com/
Voice: 781 784-7287
Fax: 781 784-0951
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
