S
S
Svav2016-02-06 13:29:15
linux
Svav, 2016-02-06 13:29:15

How to block 22 using iptables for eth1?

There are 2 network interfaces eth0 and eth1. Installed fail2ban.
I prescribe iptables -A INPUT -i eth1 -p tcp --dport 22 -j DROP
and no reaction occurs.
[email protected]:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 7 packets, 536 bytes)
pkts bytes target prot opt ​​in out source destination
3949 391K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0. 0.0/0 multiport dports 22
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt ​​in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 760 bytes)
pkts bytes target prot opt ​​in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt ​​in out source destination
27 1236 REJECT all -- * * 49.117.147.92 0.0.0.0/0 reject-with icmp-port-unreachable
14 916 REJECT all -- * * 222.73.119.253 0.0.0.0/0 reject-with icmp-port-unreachable
19 1420 REJECT all -- * * 119.146.221.68 0.0.0.0/0 reject-with icmp-port-unreachable
46 3328 REJECT all -- * * 23.101.134.88 0.0.0.0/0 reject-with icmp-port-unreachable
57 3828 REJECT all -- * * 52.28.207.152 0.0.0.0/0 reject-with icmp-port-unreachable
82 5752 REJECT all -- * * 183.3.202.106 0.0.0.0/0 reject-with icmp-port-unreachable
51 3480 REJECT all -- * * 208.67.1.2 0.0.0.0/0 reject-with icmp-port-unreachable
21 2400 REJECT all -- * * 104.40.21.211 0.0.0.0/0 reject-with icmp-port-unreachable
132 6592 REJECT all -- * * 162.255.86.117 0.0.0.0/0 reject-with icmp-port-unreachable
18 1496 REJECT all -- * * 218.87.109.253 0.0.0.0/0 reject-with icmp-port-unreachable
18 2024 REJECT all -- * * 115.231.9.148 0.0.0.0/0 reject-with icmp-port-unreachable
27 2028 REJECT all -- * * 52.34.171.0 0.0.0.0/0 reject-with icmp-port-unreachable
3278 345K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Answer the question

In order to leave comments, you need to log in

2 answer(s)
M
Mikhail Konyukhov, 2016-02-06
@piromanlynx

# iptables -I INPUT -i eth1 -p tcp -d ip.to.eth.1 --dport 22 -j DROP

V
Vladimir, 2016-02-06
@rostel

most likely it arrives from another interface,
everything that flies past the fail2ban chain will fall into the syslog according to the rule
there and see through which interface it flew
in general, you need to look at all the rules, because the NAT table can direct the packet so that it does not get into the INPUT filter at all
and do not forget about ipv6

iptables-save -c
ip6tables-save -c

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question