Host protection in the past was typically performed with application
layer checks on the originating IP or hostname. This was (and still is)
frequently accomplished with libwrap, which verifies whether or not to
allow a connection based on the contents of the system wide
configuration files /etc/hosts.allow
and
/etc/hosts.deny
.
Host protection is one part of protecting a host, by preventing inbound packets from reaching higher layers. This is no substitute for tight application layer security. Strong network and host-level packet filters mitigate a host's exposure when it is connected to a network.
Example 7.1. Blocking a destination and using the REJECT
target, cf. Example D.17, “Adding a prohibit
route with route
add”
[root@masq-gw]#
iptables -I FORWARD -p tcp -d 209.10.26.51 --dport 22 -j REJECT
[root@tristan]#
ssh 209.10.26.51
ssh: connect to address 209.10.26.51 port 22: Connection refused
[root@masq-gw]#
tcpdump -nnq -i eth2
tcpdump: listening on eth2 22:16:59.111947 192.168.99.35.51991 > 209.10.26.51.22: tcp 0 (DF) 22:16:59.112270 192.168.99.254 > 192.168.99.35: icmp: 209.10.26.51 tcp port 22 unreachable (DF) [tos 0xc0]