0

I would like to use linux command iptables to control to only allow the same subnet IP to access a server , what I would like to do is to allow any services from 10.168.1.0 to this server , could advise what I need to do is just to run the following command in the server , no need to do other things ? thanks

/sbin/iptables -A INPUT -p tcp -s 10.168.1.0 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s 10.168.1.0 -j ACCEPT
MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • 2
    iptables rules are position-dependent, so we can do nothing without seeing your whole ruleset. Could you please edit the output of `iptables -L -n -v` into your question? – MadHatter Jan 22 '14 at 10:56

2 Answers2

1

I'm assuming your network is /24 (if not, change the CIDR/netmask in the command)

iptables -A INPUT -p tcp -s 10.168.1.0/24 -j ACCEPT
iptables -P INPUT DROP

First command will allow all tcp connections from 10.168.1.0/24, and the second will set the default policy for INPUT to DROP (if packet not matched by the first rule, it will be dropped).

PS: this will also block any incoming UDP packets (including DNS etc.) and all other connections from outside (eg. you wont be able to recieve data from outside). It is advisable to also add:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Which will allow return packets from connections you've established from the server.

mulaz
  • 10,682
  • 1
  • 31
  • 37
0

If you want to allow a full subnet you have to specify the subnet as source.

Also, if you want to allow any services you should remove -p tcp because it just allows TCP protocol.

Then, you will need to drop unwanted traffic.

iptables -A INPUT -s 10.168.1.0/24 -j ACCEPT
iptables -P INPUT DROP

You certainly don't need the OUTPUT chain if you setup iptables to be stateful. In that case, the rules will be :

iptables -A INPUT -s 10.168.1.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP

If, for some reason, the server has to initiate connexions to subnet hosts, the use of OUTPUT chain is needed, but the source ip -s should be your server IP address (but can also be omitted), and you can specify the destination to only allow the given subnet :

iptables -A OUTPUT -s serverip -d 10.168.1.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# or
iptables -A OUTPUT -d 10.168.1.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# in both cases
iptables -P OUTPUT DROP
krisFR
  • 13,280
  • 4
  • 36
  • 42