?
Solved

Allow only one ip to access ssh

Posted on 2010-03-28
6
Medium Priority
?
720 Views
Last Modified: 2013-12-06
Hi guys,

Using following iptables, I can ssh to this machine from any source, the question is if I want only 192.168.1.2 be able to access this server through ssh, what should I do to the following line:

iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

#iptables -A INPUT -p ALL -i eth0 -s 10.1.0.0/16 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.1.3.30 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Packets for established connections
#iptables -A INPUT -p ALL -d 10.2.0.13 -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay

#ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# FORWARD chain rules
#iptables -A FORWARD -i eth0 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.1.3.30 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Iptables to allow yum OUTPUT on port 80
#iptables -A OUTPUT -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT

Open in new window

0
Comment
Question by:rawandnet
6 Comments
 
LVL 14

Accepted Solution

by:
Monis Monther earned 668 total points
ID: 28882386
It should be

iptables -A INPUT -p TCP -i eth0 -s 192.168.0.1 --destination-port 22 -j okay


Assuming that the source is 192.168.0.1

Also you have another solution, you can use tcpwrappers to allow only the specific IP
0
 
LVL 7

Assisted Solution

by:vipul999
vipul999 earned 668 total points
ID: 28882512

for that you would create
a rule to accept your source ip connecting to destination 22

and

a rule to drop or reject all traffic to port 22

that way only your source ip would be allowed to access 22

0
 

Author Comment

by:rawandnet
ID: 28945017
how about if i wanted to allow only http (80) traffic, nothing else!
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
LVL 7

Expert Comment

by:vipul999
ID: 28948300

rule 1: create a rule to accept traffic on port 80
rule 2: create a rule to block everything else

rule should be something like
iptables -A INPUT -p TCP --destination-port 80 -j ACCEPT
iptables -A INPUT -j REJECT

systax could be wrong i havent cross checked.

basically first you have to create the accept rule for the port 80 & then the reject for all.

if you interchange the sequence it will only block everything
0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 664 total points
ID: 28954978
Just an advice, take a look to www.shorewall.net as an easier interface to iptables.
You just can write basic rules like: "ACCEPT net:$one.ip loc tcp 22" and some general policy like "DROP net loc"
In a few lines, you'll get something easy to understand and maintain.
You have several examples included: one-interface server, 2/3-interfaces gateways and so on...

regards
0
 

Author Closing Comment

by:rawandnet
ID: 31708046
thanks
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question