[SOLVED] Iptable rule to block outgoing ip addresses except some

kingston · 11-02-2015, 12:32 PM

Hi All

I don't want my server to communicate with other servers using SSH except some servers.

Please have a look at the following rule and let me know if this is correct.

Quote:

iptables -I OUTPUT ! -d 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT

I hope ssh connection except the ip addresses mentioned in the rule will be blocked.

lazydog · 11-02-2015, 02:54 PM

Have a look at this one;

Code:

iptables -I OUTPUT --dst-range ! 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT

vincix · 11-03-2015, 02:40 AM

Quote:

Originally Posted by lazydog

Have a look at this one;

Code:

iptables -I OUTPUT --dst-range ! 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT

Does this mean that all outgoing ssh connection are rejected, except those towards those ip addresses?

kingston · 11-03-2015, 03:21 AM

Hi Lazydog

"--dst-range" is not working. I think i have to go with the "ipset" option

salasi · 11-03-2015, 05:57 AM

Note that while port 22 is the default, there is no guarantee that port 22 will be used. OK, you can easily argue that it could be way better than nothing for preventing ssh to 'random' servers, if there is a case that the remote SSH box could be under the command of one of your users, then they could change that port to almost anything (and then any 'port 22 based' blocking would fail).

(Changing the ssh port is also used as a 'security measure'; I don't think it is too controversial to say that, on its own, it is a poor security measure, but it does mean that there is a population of boxes where a non-default port is used for entirely legitimate, if often poor, reasons.)

lazydog · 11-04-2015, 12:34 PM

Quote:

Originally Posted by kingston

Hi Lazydog

"--dst-range" is not working. I think i have to go with the "ipset" option

Try moving the "!" before the --dst-range to ensure it is not working.

kingston · 11-07-2015, 06:19 AM

Hi All

I have achieved blocking multiple ip addresses using IPSET

Quote:

Reference Link :
http://www.linuxjournal.com/content/...urations-ipset

RPM Installed:
ipset-6.11-4.el6.x86_64

ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set --set myset src -j DROP
iptables -A OUTPUT -m set --set myset dst -j DROP

JockVSJock · 11-09-2015, 12:34 PM

Quote:

Originally Posted by lazydog

Have a look at this one;

Code:

iptables -I OUTPUT --dst-range ! 192.168.1.2,192.168.2.3,198.168.3.3 -p tcp --dport 22 -j REJECT

I've never seen the "!" used before for an IPTables ruleset. Looking at the man page, this will invert on the dst-range, which normally would match destination IPs in the specified range.

So with the "!", it would mean that we would ignore the range of 192.1681.2, 192.168.2.3, 198.168.3.3 ?

thanks

lazydog · 11-10-2015, 09:44 AM

Quote:

Originally Posted by JockVSJock

I've never seen the "!" used before for an IPTables ruleset. Looking at the man page, this will invert on the dst-range, which normally would match destination IPs in the specified range.

So with the "!", it would mean that we would ignore the range of 192.1681.2, 192.168.2.3, 198.168.3.3 ?

thanks

The "!" equals NOT, so yes we would ignore 192.168.1.2, 192.168.2.3 and 192.168.3.3