iptables: allow certain ips and block all other connection

How do I allow certain ips and block all other connection in iptables?
gid01Asked:
Who is Participating?
 
farzanjConnect With a Mentor Commented:
So it is filtering and the first rule that matches is read only.

So first you allow like

iptables -A INPUT -s 192.168.0.254 -j ACCEPT
iptables -A INPUT -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -j -s 0.0.0.0/24  DROP

So first two will be allowed and the rest will be dropped
0
 
farzanjCommented:
Another way is to make policies.  So you make a policy that everything is dropped.  Then you explicitly allow a few connections.
 
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

Open in new window


Then you allow some traffic
# Allow incoming TCP port 22 (ssh) traffic from office
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT

Open in new window

0
 
gid01Author Commented:
I run an Asterisk server for my small business, would this be a good way to prevent unauthorized access to my system?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
farzanjCommented:
Of course.  You should NEVER take network security for granted.  You should block IPs that are not valuable and also block all the ports that are not used.  Obviously you would not want your system to be compromised and multiple layers of security is better.
0
 
Anton74Commented:
I agree completely with farzanj.

Since you're talking about an Asterisk server, if you have AIX2 or SIP ports exposed on the internet (for remote phones, and/or connections to a VOIP provider, and/or connections to another PBX), it would be particularly prudent to restrict access for those ports to specific IPs if you can.

For SIP, a large range of UDP ports is needed for allowing (voice) data transfer between endpoints after establishing a session (a symptom of a problem with this is being able to dial, but there's no sound). The default range for this if I recall correctly is 16384 - 32768, but it could be different (if you're connecting to a SIP provider check what they require also). Some router/firewalls have SIP "helpers" that if enabled, automatically open these data ports for established sessions - if you have this available, it is preferable over having to open the large range of ports outright.
0
 
gid01Author Commented:
If I block all IPs except for a few essential IPs that are needed to run Asterisk, why should I have rules to block unnecessary ports too?
0
 
farzanjCommented:
Because, if a hacker uses simple packet sniffing utilities to sniff the packets coming to your network, will have a pretty good idea as to what IP addresses get accepted at your network.  He will then use another simple utility to scan all the ports--standard procedure before hacking.  Then he would spoof packets with the acceptable IP address and open ports to launch his attach.  Hackers play all kind of games.  We as security guys try to keep it as restricted as possible to make their game a little harder.
0
 
farzanjCommented:
You should have NO services running that are not being used.  They only open ports and make it an easy target of an attack
0
 
Gabriel OrozcoSolution ArchitectCommented:
I tend to agree with farzanj

However I also believe you should balance usage with security.

This said, how about adding a file with all the ip addresses you want open?

you can use the attached code snips examples to do that.
IPFILE: (assume here are the ip addresses you want open)
100.100.100.100
101.101.101.101
...

Open in new window

Iptables Script:

# Start of script

# Variables
ipt=$(which iptables)
# Policys
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT # I avoid problems with this

# Examine the IP addresses file and open input to those ip's
cat IPFILE | while read ip; do
  $ipt -A INPUT -s $ip -j ACCEPT
done

# End of script

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.