about iptables
 

I use the below iptables command to apply rule I would like to allow 192.168.2.2 only to access my server , but after apply it , it still not work


#iptables -A INPUT -s 192.168.2.2 -j ACCEPT

#iptable -L

ACCEPT all -- 192.168.2.2 anywhere [B]

I tried to use the below command , after use it , all rule is removed.
#iptables --flush

Could advise how can I apply rule ? what is wrong in my first command ? thanks

Be specific while creating rules in iptables. You are missing destination server(-d) i.e your server, network interface (-i) i.e. eth0 or any ,the port(--dport)port number , the protocol (-p) i.e. tcp/udp.

And after creating the rule have you saved and restarted iptables ?

another what recommended by default is to drop all and then to allow specific IP's explicitly. If that could be done what happened would never had..

thanks reply ,

what I would like is just to accept 192.168.2.2 ( any service , port , eth0 , eth1 .. ) to access the server , do I still need -d ,eth0 , --dport -p ?

I have run the command iptables -A INPUT -s 192.168.2.2 -j ACCEPT , but other IP eg. 192.168.2.3 still can accept the server , what is the possible of it ? thanks

You should use

iptables -P INPUT DROP

to set the default rule for INPUT chain first.

thanks reply ,

do I need to apply / save setting after run the ipchain command ? thanks

I also check from google , it suggest to add "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at the end of command as bdelow , could advise is it need to do that ? thanks

iptables -A INPUT -s 192.168.2.2 /24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

eveytime you make the change you need to save changes.

Yes, that is a good idea.

The second you change the policy of the INPUT chain to "DROP", all traffic not explicitly allowed is blocked. This includes responses to outbound requests (like web pages you're trying to view) and all sorts of internal communication between system services over the loopback interface.

For that reason, you should start by adding two rules allowing this traffic. The loopback interface is easy, the "-i lo" match will do. For replies and such, the iptables state mechanism can be used in the way you suggested:Remember that the "-A" switch adds a rule at the bottom of the chain. If a rule further up the chain conflicts with the one you just added, your rule gets ignored.

To insert rules somewhere in the chain, either flush the chain and re-add everything from the top down, or use the "-I <number>" switch instead of "-A", <number> being a number indicating the position in the chain where you want to insert the new rule.

The iptables ruleset exists in kernel memory, and all rules are lost when you power off the system. Some distributions will automatically save the ruleset to a file during shutdown and reapply the saved rules at bootup. Others store the rules in a file but requires the user to manually save after making changes. You need to check the documentation for your distribution to see how it handles firewall rules.

You can always save the rules to a file with iptables-save > somefile and restore them later with iptables-restore < somefile .

thx reply ,

I still can not set it , thanks help

I have add "iptables -A INPUT -s 192.168.2.2 -j ACCEPT" , and then try , but found that all IP can access server , then I add "iptables -P INPUT DROP" , found that all IP can not access the server , and can not use "iptables -L -v" to check the iptables setting , would advise what I need to do if I just would like to allow 192.168.2.2 to access the server ? thanks

If you want to block access to the server from any IP address except 192.168.2.2, there are two ways to do that. You could allow 192.168.2.2 and explicitly deny all other incoming traffic:Or you could allow 192.168.2.2 and let a DROP policy take care of everything else:Note that in both cases the rulset is flushed first with iptables -F, then the relevant rules are added. Simply adding rules to an existing rulset is not likely to work, as the traffic you want to allow or block may match an existing rule further up the chain.

Allowing ESTABLISHED and RELATED traffic means replies to outgoing traffic is still allowed. It also means existing connections won't be affected by these rules, so if you have, say, an active SSH connection from a system other than 192.168.2.2, these rules will not sever that connection. New connections will be blocked, though.

And as I mentioned earlier, make sure you always allow incoming traffic to the "lo" interface. Only processes on the system itself can send packets to this interface, and blocking it will break all sorts of internal communication.

thx reply ,

once I run the command "iptables -P INPUT DROP" , it deny ALL server access immediately , would advise should it be change the sequence of issue command ? thanks

Then set the policy last, after you've created the entire ruleset.

Why is it a problem that connections are temporarily blocked? Are you trying to do this over a remote connection of some kind? If so, you could just put all the iptables commands in a script and run it.

thanks reply ,

I added "iptables -P INPUT DROP" , would suggest if I would like to remove this specific policy ( I tried iptables -D INPUT DROP but not work , iptables -F will remove all policy ) , what can I do ? thanks

You don't "remove" a policy as such; it is either "ACCEPT" or "DROP". In other words, the command iptables -P INPUT ACCEPT is what you're looking for.

thx reply ,

what I mean is I have added the policy "iptables -A INPUT -j DROP" , but just would like to remove this policy , would advise what can I do ? thanks