Find the answer to your Linux question:
Results 1 to 7 of 7
Hello guy, can you guy take a look and help me in my configuration? Scenario: User connect to proxy server using SSH, and use the server connect to a specific ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2009
    Posts
    2

    Iptables : only allow SSH and specific IP and port


    Hello guy, can you guy take a look and help me in my configuration?

    Scenario:
    User connect to proxy server using SSH, and use the server connect to a specific range IP with port 114

    My configuration
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    # Allow unlimited traffic on loopback
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    # Allow incoming ssh only
    iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

    # make sure nothing comes or goes out of this box
    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP

    #Security issue
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A INPUT -f -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP

    #Only allow connect to specific IP
    iptables -A INPUT -p tcp --destination-port 114-m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
    iptables -A OUTPUT -p tcp --destination-port 114-m iprange --dst-range 192.168.1.100-192.168.1.200 -j ACCEPT

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You have to remember that IPTABLES is read top down. So anything you want to happen must come before the '-j DROP' statement.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jun 2009
    Posts
    19
    You can check this site to have a sample of a complete iptable script

    EDIT : As I'm not allowed to link to a site here a copy paste :

    Code:
    #!/bin/sh
    
    iptables -F
    iptables -X
    
    # Default rules
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A FORWARD -i lo -j ACCEPT
    iptables -A FORWARD -o lo -j ACCEPT
    
    # SSH
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
    
    # We allow TCP and UDP connections already established to enter
    iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Code:
    iptables -A FORWARD -i lo -j ACCEPT
    iptables -A FORWARD -o lo -j ACCEPT
    lo should not be forwarded or need to be forwarded.
    You can remove the forward lines here

    Code:
    # We allow TCP and UDP connections already established to enter
    iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
    You could change these to the following;

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined!
    Join Date
    Jun 2009
    Posts
    19
    Hi Lazydog,

    Thanks for your input. You're right about lo and forward, I should have guessed it.

    About your second point, I only use TCP or UDP, I used to use GRE to access a PPTP VPN.

    Anyway thanks a lot for your input, I appreciate it.

  7. #6
    Just Joined!
    Join Date
    Jul 2009
    Posts
    2
    Enable SSH only
    ------------------------------------------------------------------------------------------------
    iptables -A INPUT -p tcp -s 0/0 -d SERVER_IP --dport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp -s SERVER_IP -d 0/0 --sport 22 -j ACCEPT



    Enable UDP
    -----------------------------------------------------------------------------------------------
    iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
    iptables -A INPUT -p udp --source-port 53 -j ACCEPT
    iptables -A OUTPUT -p udp --destination-port 53 -j ACCEPT


    Specific 1 IP
    ---------------------------------------------------------------------------------------
    iptables -A INPUT -s 203.66.142.57 -j ACCEPT
    iptables -A OUTPUT -d 203.66.142.57 -j ACCEPT



    Specific IP Range
    -------------------------------------------------------------------------------------------
    iptables -A OUTPUT -m iprange --dst-range IP-IP -j ACCEPT
    iptables -A OUTPUT -m iprange --dst-range IP-IP -j ACCEPT



    Specific Port Range
    ---------------------------------------------------------------------------------------------
    iptables -A INPUT -p tcp -s 0/0 --sport PORT -j ACCEPT
    iptables -A OUTPUT -p tcp -d 0/0 --dport PORT -j ACCEPT


    Block all other traffic
    ---------------------------------------------------------------------------------------------
    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP


    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT


    Is this configuration OK?

  8. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    For starters you don't need to place '-s 0/0' or '-d 0/0' This translate to all so it is not really needed. I would suggest you use a stateful firewall. Tell us what you are trying to do and what ports you need to allow to pass and someone could help with your rules.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •