I wanted to block all traffic on port 22 except for a few hosts that I use.
I was tried of seeing lots of stupid worm attack traffic on my EC2 host.
Jun 9 19:02:45 ip-172-30-4-108 sshd[5004]: Invalid user cisco from 218.85.133.73 Jun 9 19:02:45 ip-172-30-4-108 sshd[5004]: input_userauth_request: invalid user cisco [preauth] Jun 9 19:02:46 ip-172-30-4-108 sshd[5004]: Connection closed by 218.85.133.73 port 9224 [preauth]
Yes, I could use security groups, but then I’d have to use security groups.
iptables ! -s with,more,than,one,address fails
iptables v1.6.0: ! not allowed with multiple source or destination IP addresses
The alternative is to use ipset. Its not hard!
ipset create ssh-ok hash:ip ipset add ssh-ok mine.example.com ipset list # is this thing working, just checking. ipset add ssh-ok myfriend.example.com ipset add ssh-ok mywork.example.com ipset list # still working, ok looks good. iptables -A INPUT -m set \! --match-set ssh-ok src -p tcp --dport 22 -j DROP
Thanks for the help:
http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/
http://unix.stackexchange.com/questions/70917/iptables-multiple-exclusions-on-port-forwarding