Link to home
Start Free TrialLog in
Avatar of rawandnet
rawandnet

asked on

Allow only one ip to access ssh

Hi guys,

Using following iptables, I can ssh to this machine from any source, the question is if I want only 192.168.1.2 be able to access this server through ssh, what should I do to the following line:

iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

#iptables -A INPUT -p ALL -i eth0 -s 10.1.0.0/16 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.1.3.30 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Packets for established connections
#iptables -A INPUT -p ALL -d 10.2.0.13 -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay

#ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# FORWARD chain rules
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.3.30 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Iptables to allow yum OUTPUT on port 80
#iptables -A OUTPUT -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Monis Monther
Monis Monther
Flag of Iraq image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rawandnet
rawandnet

ASKER

how about if i wanted to allow only http (80) traffic, nothing else!

rule 1: create a rule to accept traffic on port 80
rule 2: create a rule to block everything else

rule should be something like
iptables -A INPUT -p TCP --destination-port 80 -j ACCEPT
iptables -A INPUT -j REJECT

systax could be wrong i havent cross checked.

basically first you have to create the accept rule for the port 80 & then the reject for all.

if you interchange the sequence it will only block everything
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks