LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page allow ssh access only from specified IP - iptables
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-26-2009, 02:35 AM   #1
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 266

Rep: Reputation: 19
allow ssh access only from specified IP - iptables

Hi all,

how to create an IP TABLES rule which will accept ssh connections only from specified IP`s and rest of connection will be simple drop ?


dlugasx
 
Old 08-26-2009, 02:46 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by dlugasx View Post
how to create an IP TABLES rule which will accept ssh connections only from specified IP`s and rest of connection will be simple drop ?
One way to do it (example):
Code:
iptables -N GOOD_IPS

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j GOOD_IPS
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j DROP

iptables -A GOOD_IPS -s 122.45.32.56 -j ACCEPT
iptables -A GOOD_IPS -s 232.28.25.86 -j ACCEPT
iptables -A GOOD_IPS -s 45.33.86.233 -j ACCEPT
iptables -A GOOD_IPS -s 68.47.132.24 -j ACCEPT
 
Old 08-26-2009, 02:51 AM   #3
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 266

Original Poster
Rep: Reputation: 19
Quote:
Originally Posted by win32sux View Post
One way to do it (example):
Code:
iptables -N GOOD_IPS

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j GOOD_IPS
iptables -A INPUT -p TCP --dport 22 -m state --state NEW -j DROP

iptables -A GOOD_IPS -s 122.45.32.56 -j ACCEPT
iptables -A GOOD_IPS -s 232.28.25.86 -j ACCEPT
iptables -A GOOD_IPS -s 45.33.86.233 -j ACCEPT
iptables -A GOOD_IPS -s 68.47.132.24 -j ACCEPT


Quote:
iptables -N GOOD_IPS
I dont understand this. What is mean GOOD_IPS ? Should I put some IP`s in this line instead of GOOD_IPS ?
 
Old 08-26-2009, 02:55 AM   #4
colucix
LQ Guru
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983Reputation: 1983
Quote:
Originally Posted by dlugasx View Post
I dont understand this. What is mean GOOD_IPS ? Should I put some IP`s in this line instead of GOOD_IPS ?
Nope. GOOD_IPS in this example is a user-defined chain. You add the good IPs with the last 4 statements. Take in mind that the -j (jump) option of iptables can accept a target like DROP, ACCEPT and so on OR the name of a chain to jump to.
 
Old 08-28-2009, 04:08 AM   #5
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Also, host.allow and host.deny are simple tools to accomplish this.
 
Old 08-28-2009, 11:07 AM   #6
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
to accept from one and deny to all write 2 rules first write the deny statement followed by an allow statement using the -I option not -A.

iptables -t filter -I INPUT -p tcp -s <SN> -d <DIP> --dport 22 -j DROP
iptables -t filter -I INPUT -p tcp -s <SIP> -d <DIP> --dport 22 -j ACCEPT
 
Old 08-28-2009, 11:24 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by kdelover View Post
to accept from one and deny to all write 2 rules first write the deny statement followed by an allow statement using the -I option not -A.

iptables -t filter -I INPUT -p tcp -s <SN> -d <DIP> --dport 22 -j DROP
iptables -t filter -I INPUT -p tcp -s <SIP> -d <DIP> --dport 22 -j ACCEPT
True, but he did make it sound like he actually wanted to allow more than one IP.
Last edited by win32sux; 08-28-2009 at 11:33 AM.
 
Old 08-28-2009, 12:55 PM   #8
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
Quote:
Originally Posted by win32sux View Post
True, but he did make it sound like he actually wanted to allow more than one IP.
Yeah true in that case he can include a deny statement to all first,then followed by allow statements to those who are to be alloed ,so his iptables should look something like

Allow A
Allow B
Allow C
Deny ALL

Or may be create a custom chain with implict deny all policy with the exceptions he wants to include.


Or if not iptables try tcpwrappers that should be an easier thing to do.
 
Old 08-28-2009, 01:47 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by kdelover View Post
Yeah true in that case he can include a deny statement to all first,then followed by allow statements to those who are to be alloed ,so his iptables should look something like

Allow A
Allow B
Allow C
Deny ALL

Or may be create a custom chain with implict deny all policy with the exceptions he wants to include.
Ummm, yeah, that's pretty much what I did in post #2.
 
Old 08-28-2009, 01:59 PM   #10
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
^^^ oh,yeah i didnt go through all the posts.
 
Old 08-28-2009, 04:53 PM   #11
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Quote:
Originally Posted by Admiral Beotch View Post
Also, host.allow and host.deny are simple tools to accomplish this.
To make this work in hosts.allow|deny...

In /etc/hosts.allow:
Code:
sshd: 127.0.0.1 122.45.32.56 232.28.25.86 45.33.86.233 68.47.132.24
In /etc/hosts.deny:
Code:
sshd: ALL
 
Old 08-28-2009, 11:13 PM   #12
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Also look at AllowUsers which can be of the form user@hostname.com.
You can also add a "from=" optional field to the beginning of an authorized keys file. This allows more controls on a per-user bases such as
nopty. See the sshd manpage for more details.
 
Old 08-31-2009, 01:29 AM   #13
saifkhan123
Member
 
Registered: Apr 2009
Distribution: Red Hat/CentOS
Posts: 108

Rep: Reputation: 19
ssh config file
you can use /etc/sshd_config file effectively for that purpose also, if you are using openssh 5.x version(i dont know if earlier versions support the below lines) than you can use this line in the file

Code:
AllowUsers user1@ip-address user2@ip-address user3......
also you can use
Code:
DenyUsers user@ip-address
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH access problems: Can only allow users SSH access by adding to root group dhupke Slackware 10 12-21-2008 09:48 AM
Using DSL and ssh / ssh-server to access the Windoze desktop GUI On2ndThought Linux - Server 4 11-16-2008 02:17 PM
sudden loss of ability to access network (can ssh in but not ssh out) lenafabr Red Hat 5 10-31-2008 08:33 AM
IPTABLES Interet access / VPN access vlady_s Linux - Newbie 2 01-24-2008 08:12 PM
deny ssh access from lan with iptables NuLLiFiEd Linux - Security 10 12-01-2005 07:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:54 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration