Linux Security Cookbook [Electronic resources] نسخه متنی

Recipe 2.10 Blocking Remote Access, but Permitting Local

2.10.1 Problem

You want only
local users to access a
TCP service; remote requests should be
denied.

2.10.2 Solution

Permit connections via the loopback interface and reject all others.

For
iptables
:

# iptables -A INPUT -p tcp -i lo --dport service -j ACCEPT
# iptables -A INPUT -p tcp --dport service -j REJECT

For ipchains:

# ipchains -A input -p tcp -i lo --dport service -j ACCEPT
# ipchains -A input -p tcp --dport service -j REJECT

Alternatively, you can single out your local IP address specifically:

For iptables:

# iptables -A INPUT -p tcp ! -s your_IP_address --dport service -j REJECT

For ipchains:

# ipchains -A input -p tcp ! -s your_IP_address --dport service -j REJECT

Depending on your shell, you might need to escape the exclamation
point.

2.10.3 Discussion

The local IP address can be a network specification, of course, such
as a.b.c.d/N.

You can permit an unrelated set of machines to access the service but
reject everyone else, like so:

For iptables:

# iptables -A INPUT -p tcp -s IP_address_1 --dport service -j ACCEPT
# iptables -A INPUT -p tcp -s IP_address_2 --dport service -j ACCEPT
# iptables -A INPUT -p tcp -s IP_address_3 --dport service -j ACCEPT
# iptables -P INPUT -j REJECT

For ipchains:

# ipchains -A input -p tcp -s IP_address_1 --dport service -j ACCEPT
# ipchains -A input -p tcp -s IP_address_2 --dport service -j ACCEPT
# ipchains -A input -p tcp -s IP_address_3 --dport service -j ACCEPT
# ipchains -P input -j REJECT

2.10.4 See Also

iptables(8), ipchains(8). Chapter 3 covers
diverse, non-firewall approaches to block incoming service requests.