572
edits
Changes
m
→Creating Customized Chains
# '''Stop libvirtd''' and '''restart iptables''' so that you have only the minimal default rules.
# Make a backup of the original default rules: <source>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
# Use the '''ifconfig ''' or '''ip address ''' command to determine the IP ADDRESS of your external facing address [ens33] (i.e. IP address beginning with '''192.168.40.x''' if you are using an SSD).# Open a terminal on the Windows machine and '''ping''' your external facing IP addressof your Linux host (ens33). Was it successful? (it should have worked)
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains (if any) that are '''rejecting''' all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
#* '''Note:''' Use '''--jump''' or '''-j''' (<u>not</u> -g or --goto) to move to a target.
# Add a rule to your '''MYSSH''' chain to accept all traffic on your virtual interface from '''192.168.X.0/24''' (i.e. your internal network).
# Add a rule to the '''beginning of your MYSSH chain''' that allows traffic from the IP address of your main host (probably Windowsor Mac) machine.
# Add a rule to the '''end of the MYSSH chain''' to drop all remaining '''ssh''' connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
#Remove the rule in your '''INPUT''' chain that was allowing all '''ssh''' traffic.
# Make a new chain named '''MYICMP'''.
# Insert a rule to the '''beginning of the INPUT chain''' to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find the '''IP ADDRESS''' and '''MAC address''' of your Windows machine's '''internal facing interface''' (should be an internal address beginning with '''192.168.40.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with MAC address of your main host (probably Windows) machine.
