I've just fixed this (e-smith 5.1.2, so not completely the same) bij making a custom template for 45AllowSSH. Copied the file 45AllowSSH from /etc/e-smith/templates/etc/rc.d/init.d/masq to /etc/e-smith/templates-custom/etc/rc.d/init.d/masq and changed the following:
{
local %services = ( sshd => $sshd );
my $status = db_get_prop(%services, 'sshd', 'status') || "disabled";
my $access = db_get_prop(%services, 'sshd', 'access') || "private";
if ( ($status eq 'enabled' ) and ($access eq 'public') )
{
$OUT .= <<'HERE';
# original line accepts all addresses
# /sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 22 -j ACCEPT
#
# Allow only access from:
# local network 192.168.0.0/255.255.255.0
# 123.234.123.234 / 123.234.123.235
# 124.15. en 125.16. with subnet 255.255.0.0
/sbin/ipchains --append input -p tcp -s 192.168.0.0/255.255.255.0 -d $OUTERNET 22 -j ACCEPT
/sbin/ipchains --append input -p tcp -s 123.234.123.234/255.255.255.255 -d $OUTERNET 22 -j ACCEPT
/sbin/ipchains --append input -p tcp -s 123.234.123.235/255.255.255.255 -d $OUTERNET 22 -j ACCEPT
/sbin/ipchains --append input -p tcp -s 124.15.0.0/255.255.0.0 -d $OUTERNET 22 -j ACCEPT
/sbin/ipchains --append input -p tcp -s 125.16.0.0/255.255.0.0 -d $OUTERNET 22 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 22 -j ACCEPT
HERE
}
}
Of course, your script is not exactly the same, but the idea should be clear. The firewall keeps all communication from 'wrong' ip-addresses away.
2 Replies
396 Views