iptables - how to block all incoming traffic except ssh

New to Debian (Or Linux in general)? Ask your questions here!

iptables - how to block all incoming traffic except ssh

Postby emil_21 » 2018-10-01 21:14

I allowed port for the ssh connection with this command:

Code: Select all
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT


But then if i set the default policy to reject all incoming traffic with this command i am loosing the ssh connection:
Code: Select all
iptables -P INPUT DROP


Why is that?
emil_21
 
Posts: 27
Joined: 2017-04-14 06:13

Re: iptables - how to block all incoming traffic except ssh

Postby bw123 » 2018-10-01 21:43

found a lot of hits when I searched for "iptables - how to block all incoming traffic except ssh" on search engine, did you try that?
User avatar
bw123
 
Posts: 3403
Joined: 2011-05-09 06:02
Location: TN_USA

Re: iptables - how to block all incoming traffic except ssh

Postby GarryRicketson » 2018-10-02 00:36

I don't know much on IPTABELS, because I don't use that method, but I did do a search for the OP,

The first hit , using keywords:
Code: Select all
how to block all incoming traffic except ssh

https://www.cyberciti.biz/tips/linux-iptables-4-block-all-incoming-traffic-but-allow-ssh.html

There are some examples. But it would help if the OP shows us what their IP tables
actually is,
Please show the output of this command:
(if you can not run it as a normal user, try as root)
Code: Select all
iptables -S

Or
Code: Select all
iptables -l

Even better :
Code: Select all
man iptables

For details on the various options.

It appears to me they have it backwards, and I have read that if the entries are in the wrong order it can cause this.

Code: Select all
# Setting default policies:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Exceptions to default policy
iptables -A INPUT -p tcp --dport 22 -j ACCEPT       # HTTP

The OP shows:
Code: Select all
#I allowed port for the ssh connection with this command:
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#But then if i set the default policy to reject all incoming traffic with this
#command i am loosing the ssh connection:
#
iptables -P INPUT DROP



There certainly seems to be plenty of guides and tutorials on this, it seems odd to me the OP would need to ask here, maybe they can not access a search engine ?
User avatar
GarryRicketson
 
Posts: 5129
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: iptables - how to block all incoming traffic except ssh

Postby reinob » 2018-10-02 05:20

emil_21 wrote:I allowed port for the ssh connection with this command:

Code: Select all
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT


But then if i set the default policy to reject all incoming traffic with this command i am loosing the ssh connection:
Code: Select all
iptables -P INPUT DROP


Why is that?


You reject (drop) by default, and allow NEW connections to port 22.
This means that any already-established connection to port 22 will be dropped, as per your default policy.

Normally a (sane) firewall configuration has something like:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

so that established connections (allowed explicitly when "NEW") can actually work as intended.
reinob
 
Posts: 555
Joined: 2014-06-30 11:42

Re: iptables - how to block all incoming traffic except ssh

Postby emil_21 » 2018-10-02 08:01

I already searched for solution but the guides i found are not working for me. For example, every guide says i should add the rule for ssh before the drop all incoming traffic rule and i am doing this, but the problem is that i got disconnected from the server every time i add the drop all incoming traffic rule, when i shouldn't, and i can't reconnect with ssh.
emil_21
 
Posts: 27
Joined: 2017-04-14 06:13

Re: iptables - how to block all incoming traffic except ssh

Postby emil_21 » 2018-10-02 08:28

I found the problem. It was in the rule for ssh though i am not exactly sure what was the reason. I only added this line:
Code: Select all
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT


After that i added the rule to drop all incoming traffic and i didn't get disconnected:
Code: Select all
sudo iptables -A INPUT -j DROP
emil_21
 
Posts: 27
Joined: 2017-04-14 06:13

Re: iptables - how to block all incoming traffic except ssh

Postby p.H » 2018-10-02 09:08

The effect of one single rule depends on the whole ruleset (yeah, context). Do not post a single rule but the full ruleset printed by
Code: Select all
iptables-save

Your initial rule only accepts incoming packets in the NEW state, but a typical connection involves other states such as ESTABLISHED. Did you already have a rule accepting packets in this state, which is quite common ?
p.H
 
Posts: 600
Joined: 2017-09-17 07:12

Re: iptables - how to block all incoming traffic except ssh

Postby reinob » 2018-10-02 09:54

emil_21 wrote:I found the problem. It was in the rule for ssh though i am not exactly sure what was the reason. I only added this line:
Code: Select all
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT


After that i added the rule to drop all incoming traffic and i didn't get disconnected:
Code: Select all
sudo iptables -A INPUT -j DROP


Your original rule had "-m state --state NEW", which means it applies (accepts) only NEW (first packet of) connections.
I told you to add another rule for "-m state --state RELATED,ESTABLISHED", which applies to any connection (any port), so that once the policy (default or NEW) has decided to accept, then it will continue to be accepted until the session is closed.

You now made a rule to allow anything incoming on port 22, which is OK (as it obviously includes NEW and ESTABLISHED states). You just made the firewall stateless but OK.

If I may give you some advice: you should understand how a stateful firewall works and then read (at least quickly) the manual page for iptables. Otherwise you risk doing something (catastrophically) wrong just because you copied this or that off the Internet, without actually understanding what you're typing (as root).
reinob
 
Posts: 555
Joined: 2014-06-30 11:42


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable