Xenon8419
Posts: 1
Joined: Sat Jun 01, 2019 1:39 pm

SSH (iptables): how to allow only one IP

Sat Jun 01, 2019 1:50 pm

Hello, i have a problem, if i use this line in iptables i can't connect to my raspberry (it has an static public IP) (X.X.X.X is the IP of another LAN):

Code: Select all

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -p tcp -d X.X.X.X --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

But if i put X.X.X.X/24 or if delete -d X.X.X.X i can connect from all devices... the fact is that i want to connect ONLY with an IP and refuse the others!

ericcooper
Posts: 123
Joined: Sat Apr 08, 2017 6:23 pm

Re: SSH (iptables): how to allow only one IP

Sat Jun 01, 2019 3:29 pm

You're filtering on destination IP address (-d). Don't you want source (-s)?

tpyo kingg
Posts: 555
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH (iptables): how to allow only one IP

Sat Jun 01, 2019 3:31 pm

The first rule should allow the loopback interface to communicate with itself. Without it, the system cannot run. The second rule in the INPUT rule should allow all ESTABLISH and RELATED connections in. Otherwise your outgoing connections cannot return. Ping is good to allow, too. Then the fourth rule can then be the one you use to allow NEW tcp connections on port 22 from a specific address or range of addresses.

Here's what I would suggest. Note the -s for source address. Change that to the IPv4 address of the host you would like to allow incoming conections from.

Code: Select all

   iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   # allow the courtesy of at least a ping
   iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
   iptables  -A INPUT -p TCP -s 10.10.10.10 --dport 22 -m state --state NEW -m limit --limit 4/minute --limit-burst 5 -j ACCEPT
   # Default policy can't use REJECT, so we add these at the end
   iptables -A INPUT   -j REJECT;       # hack for changing default policy
I prefer to end the INPUT chain with a default REJECT target.

If that is too complex you might look at the manual page for sshd_config and see that you can restrict by source address there instead.

User avatar
rpdom
Posts: 14469
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: SSH (iptables): how to allow only one IP

Sat Jun 01, 2019 4:55 pm

tpyo kingg wrote:
Sat Jun 01, 2019 3:31 pm
The first rule should allow the loopback interface to communicate with itself. Without it, the system cannot run. The second rule in the INPUT rule should allow all ESTABLISH and RELATED connections in. Otherwise your outgoing connections cannot return. Ping is good to allow, too. Then the fourth rule can then be the one you use to allow NEW tcp connections on port 22 from a specific address or range of addresses.

Here's what I would suggest. Note the -s for source address. Change that to the IPv4 address of the host you would like to allow incoming conections from.

Code: Select all

   iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   # allow the courtesy of at least a ping
   iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
   iptables  -A INPUT -p TCP -s 10.10.10.10 --dport 22 -m state --state NEW -m limit --limit 4/minute --limit-burst 5 -j ACCEPT
   # Default policy can't use REJECT, so we add these at the end
   iptables -A INPUT   -j REJECT;       # hack for changing default policy
I prefer to end the INPUT chain with a default REJECT target.

If that is too complex you might look at the manual page for sshd_config and see that you can restrict by source address there instead.
I usually have DROP in my default policies, rather than putting a REJECT at the end of the table. I don't want my systems to waste time replying to junk.

The rest is pretty much how a standard set of rules should be done.

tpyo kingg
Posts: 555
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH (iptables): how to allow only one IP

Sat Jun 01, 2019 5:22 pm

rpdom wrote:
Sat Jun 01, 2019 4:55 pm
I usually have DROP in my default policies, rather than putting a REJECT at the end of the table. I don't want my systems to waste time replying to junk.
The policies can only default to DROP, they can't handle REJECT so the latter has to be added to the chains to make it a default action. DROP is useful in certain uncommon situations but should be used more sparingly than it often is used. Definitely any and all friendly sources should get a REJECT target rather than a DROP. Hostile sources mostly won't matter whether they recieve a DROP or a REJECT. There used to be a TARPIT target around which might be more useful then DROP in some of the situations.

Return to “Raspbian”