Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

IPTABLES - Restrict ssh access

Posted on 2013-10-23
10
538 Views
Last Modified: 2013-10-25
I'm trying to restrict logging on to a Linux system via ssh using IPTABLES.

On the following CentOS site:

http://wiki.centos.org/HowTos/Network/SecuringSSH

I read that using the command below should do it:

iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT

that is, the above rule says allow SSH logins from IP address x.x.x.x (and presumably, from no other)

However, I am able to log in from a different IP no problem.

Here are my iptables settings (from /etc/sysconfig/iptables

______________________________________________________________________________
# Generated by iptables-save v1.4.7 on Wed Oct 23 11:22:21 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [31:2596]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

[numerous rules which drop packes from specific IPs are removed - no poiint in listing these here]

-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Oct 23 11:22:21 2013
_____________________________________________________________________________________

If I do a listing (iptables -L) , I see the following:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  vps-1001071-386.stwadmin.net  anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  mail.maglin.com      anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

ETC

So this line from /etc/sysconfig/iptables

-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT

is supposed to allow access for SSH from only one IP (my assumption), and corresponds to this in the listing (iptables -L):

ACCEPT     tcp  --  mail.maglin.com      anywhere            state NEW tcp dpt:ssh

However, as I said, I can log in from a different IP no problem.

Thanks!
0
Comment
Question by:MaglinFurniture
  • 5
  • 5
10 Comments
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39595591
(and presumably, from no other)
Not true. in the absence of a specific rule, the policy for the chain applies. This is ACCEPT, according to your posted output. You can change the chain policy to DROP - see (the output from entering in a command window) man iptables. In particular
-P, --policy chain target
Set the policy for the chain to the given target.  See the section TARGETS for the legal targets.  Only built-in (non-user-defined) chains can have policies, and neither built-in nor user-defined chains can be policy targets.
0
 

Author Comment

by:MaglinFurniture
ID: 39595944
@duncan_roe

I'm not sure I'd want to set the policy to DROP

The machine is a web server machine.

There are two basic things I want:

Allow web access
Prevent access via ssh except for certain IPs (possibly more than one -- say 3)

To address your specific reply:

From the CentOS link above, my understanding is that

iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT

is a specific rule. I did try this rule, but it had no effect, or, the same effect.

Are you saying that if my default policy for INPUT was DROP instead of ACCEPT, then applying this rule:

iptables -A INPUT -p tcp -s  69.17.129.174 --dport 22 -j ACCEPT

or even:

-A INPUT -p tcp -s 69.17.129.174 -m state --state NEW -m tcp --dport 22 -j ACCEPT

I would achieve my goal for ssh?


IF SO, if the default policy is ACCEPT, what would the rule have to be to allow access from a specific IP address?
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39596528
If you want to let a few specified ssh addresses in and no others, stay with policy ACCEPT.

All you need do is

iptables -A INPUT -p tcp -s  69.17.129.174 --dport 22 -j ACCEPT
(other ips if any)
iptables -A INPUT -p tcp --dport 22 -j DROP

This will drop all other addresses attempting to use ssh.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 

Author Comment

by:MaglinFurniture
ID: 39597595
@duncan_roe

Hi

I tried this. Did not work.

Here is the current iptables  -L


Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  mail.maglin.com      anywhere            state NEW tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
LOG        all  --  anywhere             anywhere            LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level warning
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED


Here is /etc/sysconfig/iptables:
_________________________________________________________________________________
# Generated by iptables-save v1.4.7 on Thu Oct 24 11:21:00 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:137552]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 24 11:21:00 2013
______________________________________________________________________________

would the state information in this line

-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

 cause the problem?

If not, what is wrong?

Thanks!
0
 

Author Comment

by:MaglinFurniture
ID: 39598848
@duncan_roe

I am working another server, on which I have installed CentOS 6.4, and just finished configuring IPTABLES.

Bizzare, but adding the DROP line for SSH works fine on this machine!

Here is my current /et/sysconfig/iptables (on the live machine):


# Generated by iptables-save v1.4.7 on Thu Oct 24 16:52:23 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:3688]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -s 69.17.129.174/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 24 16:52:23 2013


and iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  mail.maglin.com      anywhere            state NEW tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
LOG        all  --  anywhere             anywhere            LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level warning
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data state ESTABLISHED


On the machine I just set up (or am setting up), here is /etc/sysconfig/iptables



# Generated by iptables-save v1.4.7 on Thu Oct 24 17:06:23 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [142:24957]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.86.66.167/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Oct 24 17:06:23 2013



and iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  10.86.66.167         anywhere            state NEW tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


============================================

The machine I am setting up should have more recent versions of software on it -- I do a yum update when I install the OS.

Is it possible there is a 'bug' in the previous installation (for the live machine)?

In any case, I can't see what is causing the problem at this point.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39598894
As an aside, could you please use this command for displaying your configuration in future
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee report.txt

Open in new window

and post report.txt That's the format I'm most used to looking at.
On your system that lets in unwanted connections, it has to be a rule that precedes the new DROP rule that's letting them in. You might well see which rule it is from the output of the the suggested command, in the packet count. Otherwise, what is interface em1?
0
 

Author Comment

by:MaglinFurniture
ID: 39599175
@duncan_roe

See attached: report.txt

em1 is the Nic on the machine that connects it to the Internet.

Not sure the command is providing all the info, but please take a look.

Thanks!
report.txt
0
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 500 total points
ID: 39600388
The em1 rule is accepting everything from the Internet. Move it after the ssh DROP rule at least.
Really the rules are a bit of a mess. Rule 11 can never be reached because of rule 10, for instance. Table filter chain FORWARD rules are superfluous because you have no rules in table nat. The OUTPUT rules in table filter are likewise superfluous because the chain has policy ACCEPT already.

I think it would pay you to take some time to understand report.txt. It's telling you a lot.
0
 

Author Closing Comment

by:MaglinFurniture
ID: 39601283
@duncan_roe

I've made adjustments per your reply and it looks to be working fine now.

If you have any recommendations on information resources for learning more, so that I will understand report.txt much better, I would appreciate it.

Thanks very much for your assistance with this.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39602076
All I can suggest is that you [re-]read the iptables man page. That will tell you what output to expect, given the options passed to the iptables command
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question