Linux : Iptables # 4 Block all incoming traffic but a... http://www.cyberciti.biz/tips/linux-iptables-4-block-al...

Home
About
Forum
Howtos & FAQs
Shell Scripts
Tutorials
RSS Subscribe

nixcraft - insight into linux admin work

Home > Iptables

Linux : Iptables # 4 Block all incoming

traffic but allow ssh
by LinuxTitli · 10 comments

Bandwidth Monitoring
Tool
Monitor Bandwidth &
Network Traffic Reports,
Alerts, Email, SNMP
Traps
www.ManageEngine.com/NetFlow
This is very common scenario which permit access to a remote
machine only by SSH. You would like to block all incoming traffic
to your system except ssh connection. Here is simple ruleset to
do this (do not enter them immediately).
Add following rules to your iptables shell script:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

First rule will accept incoming (INPUT) tcp connection on port 22 (ssh server) and
second rule will send response of incoming ssh server to client (OUTPUT) from our ssh
server source port 22.

However, iptables with kernel 2.4/2.6 provides very powerful facility to filter rule
based upon different connection states such as established or new connection etc. Here
is complete small script to do this task:

#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="65.55.12.13"
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP

1 of 8 12/05/2009 10:37 PM
Linux : Iptables # 4 Block all incoming traffic but a... http://www.cyberciti.biz/tips/linux-iptables-4-block-al...

iptables -P OUTPUT DROP

iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j
ACCEPT
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

This script is purely strict firewall. It only allows incoming ssh. No other incoming
service or ping request or no outgoing service or request allowed. Incoming ssh
connection can be either new or already established one and that is what specified by
state rule '-m state --state NEW,ESTABLISHED'. Outgoing ssh connection state can be
established only. By default this script allows everyone to ssh in by rule -s 0/0. If you
want this access limited by IP or network address then replace -s 0/0 with IP address.
For example allow incoming ssh from IP 202.54.1.20:

# Allow incoming ssh only from IP 202.54.1.20

iptables -A INPUT -p tcp -s 202.54.1.20 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 202.54.1.20 --sport 22 --dport 513:65535 -m state --state
ESTABLISHED -j ACCEPT

Featured Articles:

20 Linux System Monitoring Tools Every SysAdmin Should Know

20 Linux Server Hardening Security Tips
My 10 UNIX Command Line Mistakes
Top 5 Email Client For Linux, Mac OS X, and Windows Users
Top 20 OpenSSH Server Best Security Practices
Top 10 Open Source Web-Based Project Management Software
Top 5 Linux Video Editor Software

Please help us improve nixCraft and take our survey.

Want to read Linux tips and tricks, but don't have time to check our blog everyday?
Subscribe to our daily email newsletter to make sure you don't miss a single
tip/tricks. Subscribe to our weekly newsletter here!
you@address.com Subscribe

Email this to a friend

Download PDF version
Printable version
Comment RSS feed

2 of 8 12/05/2009 10:37 PM
Linux : Iptables # 4 Block all incoming traffic but a... http://www.cyberciti.biz/tips/linux-iptables-4-block-al...

Last Updated: Nov/22/2006

{ 10 comments… read them below or add one }

1 Anonymous 06.22.05 at 7:30 pm

How about opening outgoing ssh? I tried the rule to reverse it but not working. i
mean i need to ssh in on dsl box as well as ssh out!

2 Anonymous 06.22.05 at 8:23 pm

Try

iptables -A OUTPUT -p tcp -d $SERVER_IP -s 0/0 –dport 22 –sport 513:65535 -m

state –state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -d 0/0 -s $SERVER_IP –dport 513:65535 –sport 22 -m

state –state NEW,ESTABLISHED -j ACCEPT

3 Vivek Gite 06.23.05 at 12:11 am

Following are correct two rules:

iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 –sport 513:65535 –dport 22 -m

state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP –sport 22 –dport 513:65535 -m

state –state ESTABLISHED -j ACCEPT

Appreciate your post.

3 of 8 12/05/2009 10:37 PM
Linux : Iptables # 4 Block all incoming traffic but a... http://www.cyberciti.biz/tips/linux-iptables-4-block-al...

4 Questy 11.19.06 at 12:54 am

If you have specified a default deny policy;

iptables -P INPUT DROP

iptables -P OUTPUT DROP
iptables -P FORWARD DROP

then why do you need the bottom two lines?

iptables -A INPUT -j DROP

iptables -A OUTPUT -j DROP

Thanks.

5 pbhj 11.22.06 at 11:55 am

You have some funky characters on this page double “-” is being replaced by an
mdash or something … this causes a copy and paste of the rules to fail (at least on
my console)

you have ” �sport”, there should be two characters before sport, with extra
spaces this should be ” – - s p o r t”

Cheers

6 nixcraft 11.22.06 at 2:12 pm

pbhj,

I have migrated from blogger.com publishing to wordpress so there are some

problems. I had fixed the same.

Appreciate your post.

7 nand 08.22.07 at 5:38 am

Hi,
I want to configured the firewall but there is a 5 server on wan & also at lan.
How I connect this all m/c through firewall for wan for ssh service.
or which reule I inser for ssh_key.

Nand

4 of 8 12/05/2009 10:37 PM
Linux : Iptables # 4 Block all incoming traffic but a... http://www.cyberciti.biz/tips/linux-iptables-4-block-al...

8 Sigh 12.06.07 at 11:38 pm

I tried the script on my linux box and it locked me out of SSH access totally. Use
with caution.

9 Nikoj 02.03.08 at 6:06 pm

Hi,
I have a router wrt54gl with openwrt(kernel 2.4.x) and I can’t seem to block other
lan users.
router ip is 10.77.77.1 / netmask 255.255.255.0
squid server is 10.77.77.228 3128 port
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
iptables -t nat -Z
iptables -t nat -X
iptables -A INPUT -s 10.77.77.228 -j ACCEPT
iptables -A INPUT -d 10.77.77.228 -j ACCEPT
iptables -A OUTPUT -s 10.77.77.1 -j ACCEPT
iptables -A OUTPUT -d 10.77.77.228 -j ACCEPT
iptables -A INPUT -s 10.77.77.1/24 -d 10.77.77.1 -j ACCEPT
iptables -A INPUT -s 10.77.77.1/24 -d 10.77.77.228 -p tcp –dport 3128 -j ACCEPT
iptables -A OUTPUT -d 10.77.77.1/24 -s 10.77.77.1 -j ACCEPT
iptables -A INPUT -p udp –sport 67:68 –dport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp –sport 67:68 –dport 67:68 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
iptables -A OUTPUT -p udp –dport 53 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 3128 -d 10.77.77.228 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 80 -d ! 10.77.77.228 -j DROP
iptables -A OUTPUT -p tcp –dport 3128 -d ! 10.77.77.228 -j DROP
#this one redirect port 80 to 3128 squid server
iptables -t nat -A PREROUTING -s ! 10.77.77.228 -p tcp –dport 80 -j DNAT –to
10.77.77.228:3128
iptables -t nat -A POSTROUTING -s 10.77.77.1/24 -d 10.77.77.228 -j
MASQUERAD
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

I just want to allow 10.77.77.228, and all others to be blocked for all protocols, all
ports except 80 port tcp, 53 udp(dns), 67,68 udp(dhcp). The above rules don’t
work. I am still able to ping,ftp or p2p from any host from the lan.

5 of 8 12/05/2009 10:37 PM
Linux : Iptables # 4 Block all incoming traffic but a... http://www.cyberciti.biz/tips/linux-iptables-4-block-al...

10 dumbfounder 06.18.08 at 12:40 am

I would like to propose an alternative howto that I know that I would benefit from,
probably many others too. I have several dedicated servers at a provider that
charges $100/month for a firewall for EACH SERVER. This is like 1/3 to 1/2 the
cost of each server. All I want is one machine reachable from the net at large to
serve as my ssh entrance, and my web server load balancer. So I want to cut off all
the other machines from inbound connections from the net. So they need to be
able to accept connections on the internal subnet to get load balanced to. But
they also need to be able to get out to the real world to download the occasional
item, and also hit REST apis of various types. Maybe other stuff. I would think this
is fairly typical, but I bet a lot of people shell out the ducats for the firewall
service. Ouch, I says.

So basically I want to say:

allow only inbound connections on subnet X

That’s it.

fyi, I am a security idiot. Maybe that was apparent by my question.

thanks

dumbfounder

Leave a Comment

Name *

E-mail *

You can use these HTML tags and attributes: <a href="" title=""> <abbr title="">
<acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime="">
<em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail.

Submit

Previous post: Linux wget your ultimate command line downloader

6 of 8 12/05/2009 10:37 PM
Linux : Iptables # 4 Block all incoming traffic but a... http://www.cyberciti.biz/tips/linux-iptables-4-block-al...

Next post: Linux : How to delete file securely

Sign up for our daily email newsletter:

you@address.com Sign up

Search

Related Posts

Linux Iptables block all network traffic

Linux Iptables block incoming access to selected or specific ip address
How to: Linux Iptables block common attacks
Select category

Sponsored Links

Unified Communications:
Thoughts, Strategies and Predictions Join the discussion.

7 of 8 12/05/2009 10:37 PM
Linux : Iptables # 4 Block all incoming traffic but a... http://www.cyberciti.biz/tips/linux-iptables-4-block-al...

www.seamlessenterprise.com
IP Convergence
Integrate your wireless and wireline networks.
Learn how from the experts at Sprint.
www.seamlessenterprise.com
Wireless & Wireline Integration
Thoughts, strategies and solutions: join the discussion
www.seamlessenterprise.com
Unified Communications 2009
Join the Discussion. Now.
www.seamlessenterprise.com
See your text ad here
Follow us on

©2004-2009 nixCraft. All rights reserved | Privacy Policy | Terms of Service

Advertise | Questions or Comments | Sitemap

8 of 8 12/05/2009 10:37 PM