7.6. Protecting a Host

Host protection in the past was typically performed with application layer checks on the originating IP or hostname. This was (and still is) frequently accomplished with libwrap, which verifies whether or not to allow a connection based on the contents of the system wide configuration files /etc/hosts.allow and /etc/hosts.deny.

Host protection is one part of protecting a host, by preventing inbound packets from reaching higher layers. This is no substitute for tight application layer security. Strong network and host-level packet filters mitigate a host's exposure when it is connected to a network.

Example 7.1. Blocking a destination and using the REJECT target, cf. Example D.17, “Adding a prohibit route with route add

[root@masq-gw]# iptables -I FORWARD -p tcp -d 209.10.26.51 --dport 22 -j REJECT
[root@tristan]# ssh 209.10.26.51
ssh: connect to address 209.10.26.51 port 22: Connection refused
[root@masq-gw]# tcpdump -nnq -i eth2
tcpdump: listening on eth2
22:16:59.111947 192.168.99.35.51991 > 209.10.26.51.22: tcp 0 (DF)
22:16:59.112270 192.168.99.254 > 192.168.99.35: icmp: 209.10.26.51 tcp port 22 unreachable (DF) [tos 0xc0]