rawandnet
asked on
Allow only one ip to access ssh
Hi guys,
Using following iptables, I can ssh to this machine from any source, the question is if I want only 192.168.1.2 be able to access this server through ssh, what should I do to the following line:
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
Using following iptables, I can ssh to this machine from any source, the question is if I want only 192.168.1.2 be able to access this server through ssh, what should I do to the following line:
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
#iptables -A INPUT -p ALL -i eth0 -s 10.1.0.0/16 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.1.3.30 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Packets for established connections
#iptables -A INPUT -p ALL -d 10.2.0.13 -m state --state ESTABLISHED,RELATED -j ACCEPT
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
#ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
# FORWARD chain rules
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.3.30 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Iptables to allow yum OUTPUT on port 80
#iptables -A OUTPUT -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
rule 1: create a rule to accept traffic on port 80
rule 2: create a rule to block everything else
rule should be something like
iptables -A INPUT -p TCP --destination-port 80 -j ACCEPT
iptables -A INPUT -j REJECT
systax could be wrong i havent cross checked.
basically first you have to create the accept rule for the port 80 & then the reject for all.
if you interchange the sequence it will only block everything
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
ASKER