I'm a long time lurker here, but finally couldnt find an answer so had to sign up. :P


I'm helping a friend set up a server online and I'm learning as I go, but one thing has me sorta stumped.

I'm trying to restrict non local access to certain ports from certain IPs.
Example, I want to set up a whitelist so that only say 123.45.67.89 can connect to the server on port 21, and all other connections to port 21 are refused.
I've searched and found ways to whitelist a port to all IPs, and ways to whitelist all IPs to a port, but not how to whitelist a single IP - port combo.

Taken one step further, since he has a dynamic IP with his ISP, how can I whitelist a range of IPs to a single port. say 123.45.67.*

Any help would be greatly appreciated.

iptables -A INPUT -s 123.45.67.0/24 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 123.45.67.0/24 -m state ESTABLISHED,RELATED -j ACCEPT

second rule might be needed depending on how the rest of your firewall is configured since ftp opens extra ports

3 members found this post helpful.

and then don't forget to either have DENY or DROP in your INPUT chain policy, or add the line

iptables -A INPUT -p tcp --dport 21 -j DROP

below the others.

2 members found this post helpful.

for one IP:
iptables -A INPUT -s !123.45.67.89 -p tcp --dport 21 -j DROP
with a default INPUT -P ACCEPT


with default INPUT -P DROP
iptables -A INPUT -s 123.45.67.89 -p tcp --dport 21 -j ACCEPT

3 members found this post helpful.

sweet, thanks a ton guys!
Gotta love learning new stuff.