Iptables : only allow SSH and specific IP and port

**nervik** · 07-01-2009

Hello guy, can you guy take a look and help me in my configuration?

Scenario:
User connect to proxy server using SSH, and use the server connect to a specific range IP with port 114

My configuration
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT

# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

#Security issue
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP

#Only allow connect to specific IP
iptables -A INPUT -p tcp --destination-port 114-m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 114-m iprange --dst-range 192.168.1.100-192.168.1.200 -j ACCEPT

**Lazydog** · 07-01-2009

You have to remember that IPTABLES is read top down. So anything you want to happen must come before the '-j DROP' statement.

**vlad59** · 07-02-2009

You can check this site to have a sample of a complete iptable script

EDIT : As I'm not allowed to link to a site here a copy paste :

Code:

#!/bin/sh

iptables -F
iptables -X

# Default rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

# We allow TCP and UDP connections already established to enter
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

**Lazydog** · 07-02-2009

Code:

iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT

lo should not be forwarded or need to be forwarded.
You can remove the forward lines here

Code:

# We allow TCP and UDP connections already established to enter
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

You could change these to the following;

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

**vlad59** · 07-03-2009

Hi Lazydog,

Thanks for your input. You're right about lo and forward, I should have guessed it.

About your second point, I only use TCP or UDP, I used to use GRE to access a PPTP VPN.

Anyway thanks a lot for your input, I appreciate it.

**nervik** · 07-03-2009

Enable SSH only
------------------------------------------------------------------------------------------------
iptables -A INPUT -p tcp -s 0/0 -d SERVER_IP --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s SERVER_IP -d 0/0 --sport 22 -j ACCEPT

Enable UDP
-----------------------------------------------------------------------------------------------
iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
iptables -A INPUT -p udp --source-port 53 -j ACCEPT
iptables -A OUTPUT -p udp --destination-port 53 -j ACCEPT

Specific 1 IP
---------------------------------------------------------------------------------------
iptables -A INPUT -s 203.66.142.57 -j ACCEPT
iptables -A OUTPUT -d 203.66.142.57 -j ACCEPT

Specific IP Range
-------------------------------------------------------------------------------------------
iptables -A OUTPUT -m iprange --dst-range IP-IP -j ACCEPT
iptables -A OUTPUT -m iprange --dst-range IP-IP -j ACCEPT

Specific Port Range
---------------------------------------------------------------------------------------------
iptables -A INPUT -p tcp -s 0/0 --sport PORT -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport PORT -j ACCEPT

Block all other traffic
---------------------------------------------------------------------------------------------
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Is this configuration OK?

**Lazydog** · 07-03-2009

For starters you don't need to place '-s 0/0' or '-d 0/0' This translate to all so it is not really needed. I would suggest you use a stateful firewall. Tell us what you are trying to do and what ports you need to allow to pass and someone could help with your rules.

Thread Tools

Display

Iptables : only allow SSH and specific IP and port

Posting Permissions