My current iptables script looks like this:


# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) User-Defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# (3) INPUT chain rules

# Rules for incoming packets from the LAN
iptables -A INPUT -p ALL -i eth0 -s 192.100.0.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.100.0.100 -j ACCEPT

# Packets for established connections
iptables -A INPUT -p ALL -d 192.100.0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP rules

# SSH
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
# HTTP
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
# IDENTD (Necessary for IRC ?????)
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 113 -j okay
# HTTPS (SSL)
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
# IPP
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 631 -j okay
# MySQL
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 3306 -j okay

# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j okay
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j okay

# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# (4) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.100.0.100 -j ACCEPT
iptables -A OUTPUT -p ALL -s 54.67.87.33 -j ACCEPT

Currently I am using tcpwrappers to deny access to ssh. Only specified ip addresses are allowed to use the ssh service. I'd like to allow specific ip addresses through the firewall only.

What do I have to change to allow only specified ip addresses to access port 22?

Also, and this may be better in a new thread, I would like to be notified of failed attempts. I know you can log iptables but I find the tutorials tuff to follow.

>What do I have to change to allow only specified ip addresses to access port 22?

If the ip addresses you want to accept are in an ip block together (like 123.456.789.001 and 123.456.789.100) it is easy to do.
-s 123.456.789.0/24
where the number following the slash tells it how many numbers of the ip address to check. Here's the catch though, it's in octets so if you want all :
123.XXX.XXX.XXX you would use /8
123.456.XXX.XXX you would use /16
123.456.789.XXX you would use /24
123.456.789.001 you would use ? yes /32

If you have a bunch of varied ips, stick with hosts.allow.

BTW, those iptables rules look funny. Especially the "-j okay" target. Did you make a user defined target or should that be -j ACCEPT?

To do logging, make a rule and use the -j LOG target. BUT, if you do logging via iptables you open yourself up to DOS attacks. For example if I syn flood you and you happen to be logging that request, you're in trouble. So it's a two-edged sword.

So you are saying that iptables can only allow a range of ip addresses in and not specific ip addresses?



Sorry. I just realized that I did not post my full iptables script. I edited it for you.

I find it hard to believe that I can not specify certain ip addresses to do this.

You're completely right, but the problem you run into is that you have to write an iptables rule for each one if they're not in the same subnet. So if you want to allow 15 different ip addresses, it can get to be a pain writing out all the rules. See my point. That's why I would use hosts.allow/deny to accomplish it. But it would work completely if you wanted to write out iptables rules for all of them. You could just put them one after another in your script like
iptables .......... -s 124.545.457.432 -j ACCEPT
iptables .......... -s 643.236.765.335 -j ACCEPT
etc,etc,etc...

I agree with you that it would be nice if you could import a list of allowed addresses using something like a pointer in a single iptables rule, but I've never seen that done. If you can figure out a way to do that, I sure as hell would like to know!

hehe I can tell you I surely will not figure out how to do that. My concentration in College was in programming and I find writing iptables scripts one of the hardest things I've ever done. I think I just have a mental block with them.

One more question and I won't bug you anymore. So if I use the:

iptables .......... -s 124.545.457.432 -j ACCEPT
iptables .......... -s 643.236.765.335 -j ACCEPT
etc,etc,etc...

will that automatically block all other IP addresses that are not allowed or do I have to add another rule?

Any ip address which doesn't match the ones you specify will get fall through the rules untill they hit the default INPUT rule. Which in your case is DROP, so they won't get anything when they try and connect.

If you just need to allow a couple of addresses, you can do this no problem.

>I think I just have a mental block with them
You're not the only one, I feel like my head is going to pop when I'm trying to think through them.

I'm sure that if I'm wrong about that, unspawn will arrive promptly and pimp-slap me anyway.

Sometimes I need unspawn's pimp-slapping. It puts me back in my place. Thanks unspawn!