[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: How to block ssh on specific ethernet interface
From:       Michal =?iso-8859-2?q?Kube=E8ek?= <mkubecek () suse ! cz>
Date:       2011-10-14 7:33:46
Message-ID: 201110140933.46546.mkubecek () suse ! cz
[Download RAW message or body]

On Friday 14 of October 2011, Netravali Ganesh wrote:
> Anyone have any idea if there is any internal routing of packets
> happens from eth0 to eth1 when we configure both the interface for
> same subnet IP ?

If a packet with our address as destination (more precisely, a packet 
for which a route with type local is selected) arrives on any interface, 
it is processed as incoming packet (and goes to INPUT chain in filter 
table). It doesn't matter whether the address is set on the interface 
which the packet arrived on or to any other interface.

More interesting question is why did the packet arrive at eth0 but to 
answer this we would have to know more about the configuration and 
network topology.

> > #Use these options to restrict which interfaces/protocols sshd will
> > bind to ListenAddress ::
> > ListenAddress 0.0.0.0
...
> That said, here is a bit of a tangent question: which one is more
> efficient/uses less resources: blocking at the iptables lever or past
> it, at the sshd level?

This is similar: ListenAddress directive only binds the socket to 
certain address so that the socket accepts only packets with this 
destination address. But if the address is correct, it doesn't matter on 
which interface the packet came.

> And would both approaches show port 22 on eth1 as closed?

This depends on what exactly is meant by "show as closed".

                                                         Michal Kubeček

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]