Recipe 2.12 Permitting SSH Access Only
2.12.1 Problem
You want to permit incoming SSH
access but no other incoming access. Allow local connections to all
services, however.
2.12.2 Solution
For iptables:
# iptables -F INPUT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -j REJECT
For ipchains:
# ipchains -F input
# ipchains -A input -p tcp --dport ssh -j ACCEPT
# ipchains -A input -i lo -j ACCEPT
# ipchains -A input -j REJECT
2.12.3 Discussion
A common setup is to permit access to a remote machine only by SSH.
If you want this access limited to certain hosts or networks, list
them by IP address as follows:For
iptables
:
# iptables -A INPUT -p tcp -s 128.220.13.4 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 71.54.121.19 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 152.16.91.0/24 --dport ssh -j ACCEPT
# iptables -A INPUT -j REJECT
For ipchains:
# ipchains -A input -p tcp -s 128.220.13.4 --dport ssh -j ACCEPT
# ipchains -A input -p tcp -s 71.54.121.19 --dport ssh -j ACCEPT
# ipchains -A input -p tcp -s 152.16.91.0/24 --dport ssh -j ACCEPT
# ipchains -A input -j REJECT
The REJECT
rule in the preceding iptables and
ipchains examples prevents
all other incoming connections. If you want to
prevent only SSH connections (from nonapproved hosts), use this
REJECT rule instead:For iptables:
# iptables -A INPUT -p tcp --dport ssh -j REJECT
For ipchains:
# ipchains -A input -p tcp --dport ssh -j REJECT
Alternatively you can use TCP-wrappers. [Recipe 3.9]
[Recipe 3.11] [Recipe 3.13]
2.12.4 See Also
iptables(8), ipchains(8), ssh(1).