Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

iptables - how to block all incoming traffic except ssh

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
emil_21
Posts: 98
Joined: 2017-04-14 06:13

iptables - how to block all incoming traffic except ssh

#1 Post by emil_21 »

I allowed port for the ssh connection with this command:

Code: Select all

iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
But then if i set the default policy to reject all incoming traffic with this command i am loosing the ssh connection:

Code: Select all

iptables -P INPUT DROP
Why is that?

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: iptables - how to block all incoming traffic except ssh

#2 Post by bw123 »

found a lot of hits when I searched for "iptables - how to block all incoming traffic except ssh" on search engine, did you try that?
resigned by AI ChatGPT

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: iptables - how to block all incoming traffic except ssh

#3 Post by GarryRicketson »

I don't know much on IPTABELS, because I don't use that method, but I did do a search for the OP,

The first hit , using keywords:

Code: Select all

how to block all incoming traffic except ssh 
https://www.cyberciti.biz/tips/linux-ip ... w-ssh.html

There are some examples. But it would help if the OP shows us what their IP tables
actually is,
Please show the output of this command:
(if you can not run it as a normal user, try as root)

Code: Select all

iptables -S 
Or

Code: Select all

iptables -l
Even better :

Code: Select all

man iptables
For details on the various options.

It appears to me they have it backwards, and I have read that if the entries are in the wrong order it can cause this.

Code: Select all

# Setting default policies:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Exceptions to default policy
iptables -A INPUT -p tcp --dport 22 -j ACCEPT       # HTTP
The OP shows:

Code: Select all

#I allowed port for the ssh connection with this command:
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT 
#But then if i set the default policy to reject all incoming traffic with this 
#command i am loosing the ssh connection:
#
iptables -P INPUT DROP

There certainly seems to be plenty of guides and tutorials on this, it seems odd to me the OP would need to ask here, maybe they can not access a search engine ?

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: iptables - how to block all incoming traffic except ssh

#4 Post by reinob »

emil_21 wrote:I allowed port for the ssh connection with this command:

Code: Select all

iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
But then if i set the default policy to reject all incoming traffic with this command i am loosing the ssh connection:

Code: Select all

iptables -P INPUT DROP
Why is that?
You reject (drop) by default, and allow NEW connections to port 22.
This means that any already-established connection to port 22 will be dropped, as per your default policy.

Normally a (sane) firewall configuration has something like:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

so that established connections (allowed explicitly when "NEW") can actually work as intended.

emil_21
Posts: 98
Joined: 2017-04-14 06:13

Re: iptables - how to block all incoming traffic except ssh

#5 Post by emil_21 »

I already searched for solution but the guides i found are not working for me. For example, every guide says i should add the rule for ssh before the drop all incoming traffic rule and i am doing this, but the problem is that i got disconnected from the server every time i add the drop all incoming traffic rule, when i shouldn't, and i can't reconnect with ssh.

emil_21
Posts: 98
Joined: 2017-04-14 06:13

Re: iptables - how to block all incoming traffic except ssh

#6 Post by emil_21 »

I found the problem. It was in the rule for ssh though i am not exactly sure what was the reason. I only added this line:

Code: Select all

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
After that i added the rule to drop all incoming traffic and i didn't get disconnected:

Code: Select all

sudo iptables -A INPUT -j DROP

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: iptables - how to block all incoming traffic except ssh

#7 Post by p.H »

The effect of one single rule depends on the whole ruleset (yeah, context). Do not post a single rule but the full ruleset printed by

Code: Select all

iptables-save
Your initial rule only accepts incoming packets in the NEW state, but a typical connection involves other states such as ESTABLISHED. Did you already have a rule accepting packets in this state, which is quite common ?

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: iptables - how to block all incoming traffic except ssh

#8 Post by reinob »

emil_21 wrote:I found the problem. It was in the rule for ssh though i am not exactly sure what was the reason. I only added this line:

Code: Select all

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
After that i added the rule to drop all incoming traffic and i didn't get disconnected:

Code: Select all

sudo iptables -A INPUT -j DROP
Your original rule had "-m state --state NEW", which means it applies (accepts) only NEW (first packet of) connections.
I told you to add another rule for "-m state --state RELATED,ESTABLISHED", which applies to any connection (any port), so that once the policy (default or NEW) has decided to accept, then it will continue to be accepted until the session is closed.

You now made a rule to allow anything incoming on port 22, which is OK (as it obviously includes NEW and ESTABLISHED states). You just made the firewall stateless but OK.

If I may give you some advice: you should understand how a stateful firewall works and then read (at least quickly) the manual page for iptables. Otherwise you risk doing something (catastrophically) wrong just because you copied this or that off the Internet, without actually understanding what you're typing (as root).

Post Reply