[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: How to block ssh on specific ethernet interface
From: Michal =?iso-8859-2?q?Kube=E8ek?= <mkubecek () suse ! cz>
Date: 2011-10-14 7:33:46
Message-ID: 201110140933.46546.mkubecek () suse ! cz
[Download RAW message or body]
On Friday 14 of October 2011, Netravali Ganesh wrote:
> Anyone have any idea if there is any internal routing of packets
> happens from eth0 to eth1 when we configure both the interface for
> same subnet IP ?
If a packet with our address as destination (more precisely, a packet
for which a route with type local is selected) arrives on any interface,
it is processed as incoming packet (and goes to INPUT chain in filter
table). It doesn't matter whether the address is set on the interface
which the packet arrived on or to any other interface.
More interesting question is why did the packet arrive at eth0 but to
answer this we would have to know more about the configuration and
network topology.
> > #Use these options to restrict which interfaces/protocols sshd will
> > bind to ListenAddress ::
> > ListenAddress 0.0.0.0
...
> That said, here is a bit of a tangent question: which one is more
> efficient/uses less resources: blocking at the iptables lever or past
> it, at the sshd level?
This is similar: ListenAddress directive only binds the socket to
certain address so that the socket accepts only packets with this
destination address. But if the address is correct, it doesn't matter on
which interface the packet came.
> And would both approaches show port 22 on eth1 as closed?
This depends on what exactly is meant by "show as closed".
Michal Kubeček
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic