Linux Security Cookbook [Electronic resources] نسخه متنی

Recipe 2.12 Permitting SSH Access Only

2.12.1 Problem

You want to permit incoming SSH
access but no other incoming access. Allow local connections to all
services, however.

2.12.2 Solution

For iptables:

# iptables -F INPUT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -j REJECT

For ipchains:

# ipchains -F input
# ipchains -A input -p tcp --dport ssh -j ACCEPT
# ipchains -A input -i lo -j ACCEPT
# ipchains -A input -j REJECT

2.12.3 Discussion

A common setup is to permit access to a remote machine only by SSH.
If you want this access limited to certain hosts or networks, list
them by IP address as follows:

For
iptables
:

# iptables -A INPUT -p tcp -s 128.220.13.4 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 71.54.121.19 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 152.16.91.0/24 --dport ssh -j ACCEPT
# iptables -A INPUT -j REJECT

For ipchains:

# ipchains -A input -p tcp -s 128.220.13.4 --dport ssh -j ACCEPT
# ipchains -A input -p tcp -s 71.54.121.19 --dport ssh -j ACCEPT
# ipchains -A input -p tcp -s 152.16.91.0/24 --dport ssh -j ACCEPT
# ipchains -A input -j REJECT

The REJECT
rule in the preceding iptables and
ipchains examples prevents

all other incoming connections. If you want to
prevent only SSH connections (from nonapproved hosts), use this
REJECT rule instead:

For iptables:

# iptables -A INPUT -p tcp --dport ssh -j REJECT

For ipchains:

# ipchains -A input -p tcp --dport ssh -j REJECT

Alternatively you can use TCP-wrappers. [Recipe 3.9]
[Recipe 3.11] [Recipe 3.13]

2.12.4 See Also

iptables(8), ipchains(8), ssh(1).