LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Iptable rule to block outgoing ip addresses except some (https://www.linuxquestions.org/questions/linux-security-4/iptable-rule-to-block-outgoing-ip-addresses-except-some-4175557796/)

kingston 11-02-2015 12:32 PM
Iptable rule to block outgoing ip addresses except some
 
Hi All

I don't want my server to communicate with other servers using SSH except some servers.

Please have a look at the following rule and let me know if this is correct.

Quote:
iptables -I OUTPUT ! -d 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT
I hope ssh connection except the ip addresses mentioned in the rule will be blocked.

lazydog 11-02-2015 02:54 PM
Have a look at this one;

Code:
iptables -I OUTPUT --dst-range ! 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT

vincix 11-03-2015 02:40 AM
Quote:
Originally Posted by lazydog (Post 5443752)
Have a look at this one;

Code:
iptables -I OUTPUT --dst-range ! 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT
Does this mean that all outgoing ssh connection are rejected, except those towards those ip addresses?

kingston 11-03-2015 03:21 AM
Hi Lazydog

"--dst-range" is not working. I think i have to go with the "ipset" option

salasi 11-03-2015 05:57 AM
Note that while port 22 is the default, there is no guarantee that port 22 will be used. OK, you can easily argue that it could be way better than nothing for preventing ssh to 'random' servers, if there is a case that the remote SSH box could be under the command of one of your users, then they could change that port to almost anything (and then any 'port 22 based' blocking would fail).

(Changing the ssh port is also used as a 'security measure'; I don't think it is too controversial to say that, on its own, it is a poor security measure, but it does mean that there is a population of boxes where a non-default port is used for entirely legitimate, if often poor, reasons.)

lazydog 11-04-2015 12:34 PM
Quote:
Originally Posted by kingston (Post 5443961)
Hi Lazydog

"--dst-range" is not working. I think i have to go with the "ipset" option
Try moving the "!" before the --dst-range to ensure it is not working.

kingston 11-07-2015 06:19 AM
Hi All

I have achieved blocking multiple ip addresses using IPSET

Quote:

Reference Link :
http://www.linuxjournal.com/content/...urations-ipset

RPM Installed:
ipset-6.11-4.el6.x86_64

ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set --set myset src -j DROP
iptables -A OUTPUT -m set --set myset dst -j DROP

JockVSJock 11-09-2015 12:34 PM
Quote:
Originally Posted by lazydog (Post 5443752)
Have a look at this one;

Code:
iptables -I OUTPUT --dst-range ! 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT
I've never seen the "!" used before for an IPTables ruleset. Looking at the man page, this will invert on the dst-range, which normally would match destination IPs in the specified range.

So with the "!", it would mean that we would ignore the range of 192.1681.2, 192.168.2.3, 198.168.3.3 ?

thanks

lazydog 11-10-2015 09:44 AM
Quote:
Originally Posted by JockVSJock (Post 5447032)
I've never seen the "!" used before for an IPTables ruleset. Looking at the man page, this will invert on the dst-range, which normally would match destination IPs in the specified range.

So with the "!", it would mean that we would ignore the range of 192.1681.2, 192.168.2.3, 198.168.3.3 ?

thanks
The "!" equals NOT, so yes we would ignore 192.168.1.2, 192.168.2.3 and 192.168.3.3


All times are GMT -5. The time now is 12:09 AM.