IPTables only allow localhost access

Question

I have struggled throughout the years to get a solid understanding on iptables. Any time I try and read through the man pages my eyes start to glaze over.

I have a service that I only want to allow the localhost to have access to.

What terms (or configuration, if someone is feeling generous) should I Google for to allow only localhost host to have access to a given port?

I would like to change my nick temporarily for 'iptablesrules' but I can't — Art Shayderov, Mar 14 '11 at 14:47
@iptablessuck actually it looks like I can. But I won't cause I'm not sure I will be able to change it back :) — Art Shayderov, Mar 14 '11 at 14:53
You better post your current configuration. `iptables --list` — Art Shayderov, Mar 14 '11 at 14:58
"Any time I try and read through the man pages my eyes start to glaze over." That's what it was like for me until I've found [these](https://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html) [two](https://netfilter.org/documentation/HOWTO//NAT-HOWTO.html) howto's. Short and easy to understand. — x-yuri, Apr 01 '18 at 21:20

Hyppy · Accepted Answer · 2011-03-14T16:46:31.250

82

If by service you mean a specific port, then the following two lines should work. Change the "25" to whatever port you're trying to restrict.

iptables -A INPUT -p tcp -s localhost --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

edited Mar 14 '11 at 16:46

answered Mar 14 '11 at 14:47

Hyppy

15,608
1
38
59

2

"Anything coming from localhost to port 25, accept" and the second rule says "Drop anything coming into port 25". The first line is processed first, allowing localhost, and anything else will get dropped by the second line. Yes? – iptablessuck Mar 14 '11 at 14:49
1

That's correct! – Hyppy Mar 14 '11 at 14:51
4

@Hyppy, how would you "undo" this? – tester Aug 17 '13 at 02:28
11

@tester type those commands again, but replace `-A` with `-D` – pepoluan Aug 25 '13 at 17:14
Will these rules be saved after reboot? – Astronaut Nov 16 '16 at 17:31
1

@Astronaut type 'sudo service iptables save' to save the changes. then reboot. you can check whether changes were saved by typing 'sudo iptables -L' – Vinayak Jan 13 '17 at 07:03
I tried 'sudo service iptables save' but it returns 'iptables: unrecognized service' The 2 lines given in the answer work though. – Vagabond Jan 13 '17 at 16:25
@Vagabond https://unix.stackexchange.com/questions/52376/why-do-iptables-rules-disappear-when-restarting-my-debian-system – Kevin Zhu Oct 06 '18 at 05:04

score 35 · Answer 2 · answered Mar 14 '11 at 16:43

35

I'd recommend:

iptables -A INPUT -i lo -p tcp --dport $APP_PORT -j ACCEPT
iptables -A INPUT -p tcp --dport $APP_PORT -j DROP

Because, self-addressed packets do not necessarily have 127.0.0.1 as its source, but they all 'enter' from the lo interface.

Now, if you really want to understand iptables the first thing you should do is to download and print good diagrams explaining the relations of the netfilter tables. Here are two great ones:

http://en.m.wikipedia.org/wiki?search=iptables - very complex, but the refrence
http://vinojdavis.blogspot.com/2010/04/packet-flow-diagrams.html - the upper diagram is much more understandable, though not as complete

Finally, read a lot of iptables HOWTO's. The practical examples would help you get up-to-speed real quick :)

answered Mar 14 '11 at 16:43

pepoluan

5,038
4
47
72

ty! `lo` shows up for me after using these commands with the last command from this link http://www.cyberciti.biz/faq/howto-display-linux-iptables-loaded-rules/ `iptables -L -v -n --line-numbers` – Aug 25 '13 at 03:01
2

@Gracchus I find it much easier to use `iptables-save` , save the output to a file, edit it with `vim` or `emacs`, and reimport the edited file using `iptables-apply` – pepoluan Aug 25 '13 at 17:16
I think depending on the use case, the second rule should explicitly REJECT instead of drop silently. Is it dropped silently as a best practice? Is REJECT safe to use? – Mr. Doomsbuster Dec 31 '15 at 05:25
2

@tech-pro Yes, REJECT is safe to use. It depends on what you are trying to accomplish and whether you want to be courteous to people trying to use the port. REJECT will send back a TCP RST packet telling the client that the machine is up but the port is closed. If you are closing a port that people might legitimately expect to use, then REJECT is good. If you expect only port scanners then DROP is better. – Law29 Jan 05 '16 at 07:17
I had a web server running on the port that I want be accessible only via local host. In other to deny immediately to someone who uses from the browser I thought REJECT might be better. If it's dropped the browser hangs on till the timeout occurs. Does reject make sense in this use case? – Mr. Doomsbuster Jan 05 '16 at 13:31
@TechPro depends on whether you want to annoy people accessing that port or not :-) ... for ports that are not open to the public, only to localhost (by design), I put in `DROP`. So someone who's being nosy will have a practical joke played upon them. (Does not deter determined crackers, though, but a good lesson for too-nosy employees.) :D – pepoluan Jun 30 '16 at 07:42
1

@pepoluan Can you provide an example or two when self-addressed packets don't have `127.0.0.1` as their source address? – x-yuri Mar 14 '18 at 22:46
2

@x-yuri For example, I run `unbound` as DNS Cache, in front of `dnscrypt-proxy`. `unbound` binds to `127.0.53.1:53`, and `dnscrypt-proxy` binds to `127.0.53.2:53`. When an app requests either unbound or dnscrypt-proxy to resolve an FQDN, guess what source address will unbound/dnscrypt-proxy responds from? – pepoluan Apr 01 '18 at 08:50

score 0 · Answer 3 · answered Feb 28 '23 at 15:51

I had a similar problem. I configured iptables to deny incoming requests from all ports except the ones I specifically want to allow. I didn't bother to allow 27107 because I mistakenly reasoned that iptables affects only traffic from other hosts, and I don't need to expose this instance of mongodb to the outside world.

I was wrong about iptables. When I added this rule, it worked again:

-A INPUT -p tcp -m tcp -s localhost --dport 27017 -j ACCEPT

This tells netfilter to accept incoming traffic to port 27017 as long as it's from the local host.

If I want to access this instance of mongo from a different host (such as my laptop), I can still do so with an IP tunnel.

IPTables only allow localhost access

3 Answers3

Linked

Related