Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Write an article for LinuxForums Today! Win Great Prizes!
Iptables : only allow SSH and specific IP and port
Hello guy, can you guy take a look and help me in my configuration?
Scenario:
User connect to proxy server using SSH, and use the server connect to a specific range IP with port 114
My configuration
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
#Security issue
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP
#Only allow connect to specific IP
iptables -A INPUT -p tcp --destination-port 114-m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 114-m iprange --dst-range 192.168.1.100-192.168.1.200 -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
lo should not be forwarded or need to be forwarded.
You can remove the forward lines here
Code:
# We allow TCP and UDP connections already established to enter
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
You could change these to the following;
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Specific 1 IP
---------------------------------------------------------------------------------------
iptables -A INPUT -s 203.66.142.57 -j ACCEPT
iptables -A OUTPUT -d 203.66.142.57 -j ACCEPT
Specific IP Range
-------------------------------------------------------------------------------------------
iptables -A OUTPUT -m iprange --dst-range IP-IP -j ACCEPT
iptables -A OUTPUT -m iprange --dst-range IP-IP -j ACCEPT
Specific Port Range
---------------------------------------------------------------------------------------------
iptables -A INPUT -p tcp -s 0/0 --sport PORT -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport PORT -j ACCEPT
Block all other traffic
---------------------------------------------------------------------------------------------
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
For starters you don't need to place '-s 0/0' or '-d 0/0' This translate to all so it is not really needed. I would suggest you use a stateful firewall. Tell us what you are trying to do and what ports you need to allow to pass and someone could help with your rules.
Open Source Security Myths Dispelled Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization subscribe
InformationWeek InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology. subscribe
Linux Networking Hardware/Software related, Modems, Internet connection sharing, IPTables etc.
Submit Your Article
Latest Articles
Editor's Choice
Article Categories
Join Linux Forums Today
Win Great Prizes
Linear Mode
