Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# (2) User-Defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# (3) INPUT chain rules
# Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i eth0 -s 126.96.36.199/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 188.8.131.52 -j ACCEPT
# Packets for established connections
iptables -A INPUT -p ALL -d 184.108.40.206 -m state --state ESTABLISHED,RELATED -j ACCEPT
# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 220.127.116.11 -j ACCEPT
iptables -A OUTPUT -p ALL -s 18.104.22.168 -j ACCEPT
Currently I am using tcpwrappers to deny access to ssh. Only specified ip addresses are allowed to use the ssh service. I'd like to allow specific ip addresses through the firewall only.
What do I have to change to allow only specified ip addresses to access port 22?
Also, and this may be better in a new thread, I would like to be notified of failed attempts. I know you can log iptables but I find the tutorials tuff to follow.
Last edited by Crashed_Again; 03-20-2003 at 04:32 PM.
>What do I have to change to allow only specified ip addresses to access port 22?
If the ip addresses you want to accept are in an ip block together (like 123.456.789.001 and 123.456.789.100) it is easy to do.
where the number following the slash tells it how many numbers of the ip address to check. Here's the catch though, it's in octets so if you want all :
123.XXX.XXX.XXX you would use /8
123.456.XXX.XXX you would use /16
123.456.789.XXX you would use /24
123.456.789.001 you would use ? yes /32
If you have a bunch of varied ips, stick with hosts.allow.
BTW, those iptables rules look funny. Especially the "-j okay" target. Did you make a user defined target or should that be -j ACCEPT?
To do logging, make a rule and use the -j LOG target. BUT, if you do logging via iptables you open yourself up to DOS attacks. For example if I syn flood you and you happen to be logging that request, you're in trouble. So it's a two-edged sword.
You're completely right, but the problem you run into is that you have to write an iptables rule for each one if they're not in the same subnet. So if you want to allow 15 different ip addresses, it can get to be a pain writing out all the rules. See my point. That's why I would use hosts.allow/deny to accomplish it. But it would work completely if you wanted to write out iptables rules for all of them. You could just put them one after another in your script like
iptables .......... -s 124.545.457.432 -j ACCEPT
iptables .......... -s 643.236.765.335 -j ACCEPT
I agree with you that it would be nice if you could import a list of allowed addresses using something like a pointer in a single iptables rule, but I've never seen that done. If you can figure out a way to do that, I sure as hell would like to know!
hehe I can tell you I surely will not figure out how to do that. My concentration in College was in programming and I find writing iptables scripts one of the hardest things I've ever done. I think I just have a mental block with them.
One more question and I won't bug you anymore. So if I use the:
Any ip address which doesn't match the ones you specify will get fall through the rules untill they hit the default INPUT rule. Which in your case is DROP, so they won't get anything when they try and connect.
If you just need to allow a couple of addresses, you can do this no problem.
>I think I just have a mental block with them
You're not the only one, I feel like my head is going to pop when I'm trying to think through them.