Noam Meltzer wrote:
Hi,
I was wondering if any1 knows if iptables has the ability to implement "application intelligence"?
The short answer is "no".
A slightly longer answer is that, if you have a proxy software that can act as a transparent proxy, you can direct all traffic to it using IPTables. This, esentially, what firewalls that do have application knowledge usually do anyways.
My sepcific interest is to implement something like this:
I have a host, connected to the internet, and it runs iptables, while ssh's tcp port is the only one opened.
Now, I want that instead of opening this port, every communication to that port will be dropped, unless the computer which tries to connect to it, will try to connect with a specific user.
First of all, what you just said makes no sense. SSH will pass somewhere around 8 or 10 TCP packets around before the username is sent. You cannot drop the traffic until these packets have been sent, because before that NOONE knows who the user is.
Check Point has a mechanism by which they identify the user by external means. This allows exactly what you are looking for, assuming you are willing to install additional (typically Windows) software on the machine you connect from, or contact another port and identify yourself first.
example: the user "haim" is allowed to my machine, and others ain't.
doing: remote-machine> ssh [EMAIL PROTECTED] will be dropped by iptables. doing: remote-machine> ssh [EMAIL PROTECTED] will be allowed by iptables.
Here you have another problem. SSH is an encrypted protocol. IPTables has no way of known WHAT the username passed was. I'm afraid you will have to play around with SSH's config in order to achieve this goal.
10x, Noam Meltzer
Shachar
-- Shachar Shemesh Lingnu Open Source Consulting http://www.lingnu.com/
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
