| Only allow domain name in SSH/SIP w/ IPTables: Possible?Let's say I have something like this:
-A INPUT -i eth0 -p udp -m multiports --dports 22,5060 -m string --string "myname.com" --algo bm -j ACCEPT
Here's an example: so for SSH, mine's going to be firstname@myname.com and for SIP, mine's going to be initials@myname.com.
Will SSH be able to capture a domain name? I do know that SIP does, but I thought I might ask. If only I could test it outside my network through eth0 as my internal network is in eth1 and external (Internet side) is eth0.
--
Current Soft Phone (temp): Ekiga (ordered Yealink T22P to switch from Ekiga)
Phone System: Asterisk 1.8; Server: Ubuntu Server 10.04 with Windows Server 2008 R2 Standard as guest |
|
|
|
| Hi,
SSH is encrypted and the key-exchange happens prior to your passing of the username. Thus the string matching technique will not work for SSH. SSH also is over TCP 22, not UDP 22.
SIP should be plain-text and this rule should work, however, with UDP being stateless you'll also need to permit -m state --state related,established somewhere in your firewall/rule table/chain. |
|
| OOPS!!! Yeah, I forgot about SSH being TCP. My bad.
Thanks for the info about SSH. I know it's encrypted, but I thought it'd be possible to only permit SSH communication via a domain name. Oh, well.
It seems only allowing domain names (regardless of usernames) didn't work so I'll have to go by usernames instead. I don't think that'll be a big deal at all. 
--
Current Soft Phone (temp): Ekiga (ordered Yealink T22P to switch from Ekiga)
Phone System: Asterisk 1.8; Server: Ubuntu Server 10.04 with Windows Server 2008 R2 Standard as guest |
|
