[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

iptables: allow certain ips and block all other connection

Posted on 2011-04-22
9
Medium Priority
?
678 Views
Last Modified: 2012-05-11
How do I allow certain ips and block all other connection in iptables?
0
Comment
Question by:gid01
9 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 2000 total points
ID: 35451797
So it is filtering and the first rule that matches is read only.

So first you allow like

iptables -A INPUT -s 192.168.0.254 -j ACCEPT
iptables -A INPUT -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -j -s 0.0.0.0/24  DROP

So first two will be allowed and the rest will be dropped
0
 
LVL 31

Expert Comment

by:farzanj
ID: 35451813
Another way is to make policies.  So you make a policy that everything is dropped.  Then you explicitly allow a few connections.
 
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

Open in new window


Then you allow some traffic
# Allow incoming TCP port 22 (ssh) traffic from office
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT

Open in new window

0
 

Author Comment

by:gid01
ID: 35451873
I run an Asterisk server for my small business, would this be a good way to prevent unauthorized access to my system?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 31

Expert Comment

by:farzanj
ID: 35451880
Of course.  You should NEVER take network security for granted.  You should block IPs that are not valuable and also block all the ports that are not used.  Obviously you would not want your system to be compromised and multiple layers of security is better.
0
 
LVL 9

Expert Comment

by:Anton74
ID: 35451977
I agree completely with farzanj.

Since you're talking about an Asterisk server, if you have AIX2 or SIP ports exposed on the internet (for remote phones, and/or connections to a VOIP provider, and/or connections to another PBX), it would be particularly prudent to restrict access for those ports to specific IPs if you can.

For SIP, a large range of UDP ports is needed for allowing (voice) data transfer between endpoints after establishing a session (a symptom of a problem with this is being able to dial, but there's no sound). The default range for this if I recall correctly is 16384 - 32768, but it could be different (if you're connecting to a SIP provider check what they require also). Some router/firewalls have SIP "helpers" that if enabled, automatically open these data ports for established sessions - if you have this available, it is preferable over having to open the large range of ports outright.
0
 

Author Comment

by:gid01
ID: 35453221
If I block all IPs except for a few essential IPs that are needed to run Asterisk, why should I have rules to block unnecessary ports too?
0
 
LVL 31

Expert Comment

by:farzanj
ID: 35453257
Because, if a hacker uses simple packet sniffing utilities to sniff the packets coming to your network, will have a pretty good idea as to what IP addresses get accepted at your network.  He will then use another simple utility to scan all the ports--standard procedure before hacking.  Then he would spoof packets with the acceptable IP address and open ports to launch his attach.  Hackers play all kind of games.  We as security guys try to keep it as restricted as possible to make their game a little harder.
0
 
LVL 31

Expert Comment

by:farzanj
ID: 35453262
You should have NO services running that are not being used.  They only open ports and make it an easy target of an attack
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 35494883
I tend to agree with farzanj

However I also believe you should balance usage with security.

This said, how about adding a file with all the ip addresses you want open?

you can use the attached code snips examples to do that.
IPFILE: (assume here are the ip addresses you want open)
100.100.100.100
101.101.101.101
...

Open in new window

Iptables Script:

# Start of script

# Variables
ipt=$(which iptables)
# Policys
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT # I avoid problems with this

# Examine the IP addresses file and open input to those ip's
cat IPFILE | while read ip; do
  $ipt -A INPUT -s $ip -j ACCEPT
done

# End of script

Open in new window

0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Experts Exchange expands question security options for members.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question