1

I'm trying to block anything on my server except for some specific ip ranges. There should be neither access from web nor to ssh or anything else.

I searched already through different topics and found a solution which sounds fine:

iptables -P INPUT DROP
iptables -A INPUT -s IP/24 -j ACCEPT

Actually the drop works as it should, but as soon as I execute the command I'm disconnecting. I'm connected through an ssh client. I also tried to create a bash script. But after the dropping it drops me also and it seems that the script doesn't finish.

What can I do to achieve my goal?

89c3b1b8-b1ae-11e6-b842-48d705
  • 1,465
  • 1
  • 13
  • 22
Michael Schneider
  • 115
  • 1
  • 6
  • 3
    try changing the order of execution,ACCEPT and then change policy, also you can try iptables -A INPUT -s IP/24 -j ACCEPT and then iptbles -A INPUT -j DROP – ananthan Sep 02 '14 at 10:44
  • Am I correct that the IPranges can be allowed by: `iptables -A INPUT -s 10.10.0.0/24 -j ACCEPT` so that `10.10.0.0`-`10.10.255.255` is allowed? If yes then I tried it already before and it dropped me as well. The IP is correct. – Michael Schneider Sep 02 '14 at 10:46
  • 2
    No. `10.10.0.0/24` runs from `10.10.0.0` to `10.10.0.255`; you perhaps want `10.10.0.0/16`. – MadHatter Sep 02 '14 at 10:47
  • wonderful. That worked, in combination with @ananthan way and the correct usage for subnet's of MadHatter. – Michael Schneider Sep 02 '14 at 10:50

2 Answers2

1

You should first allow localhost connection and then your IP address or your network.

Example: if your IP address is something like 192.168.1.20 you can allow only your IP address or the entire network.

# Allow connection from localhost
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

# Allow my IP address.
iptables -A INPUT -s 192.168.1.20/32 -j ACCEPT

# ... or allow my entire network
iptables -A INPUT -s 192.168.1.1/24 -j ACCEPT

# Filter invalid packets
iptables -A INPUT -m state --state INVALID -j DROP

# Drop some custom ports
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 3306 -j DROP

# ... or allow some custom ports
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# Allow related and established connection
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# And drop all
iptables -A INPUT -s 0.0.0.0 -j DROP

This is just some examples and not the perfect solution. There are lot more stuff that you can do with iptables.

On the other hand you can check Ubuntu 14.04 Firewall man page.

Peycho Dimitrov
  • 1,118
  • 9
  • 10
1

As ananthan has already noted, you should firstly reverse the order in which you set policy and exception. If you set the policy first your server has no way of knowing that you were just about to set an exception, and so locks you out. If you set the exception first, it will already be in place and exempting your traffic when the policy is set.

Secondly, if you want the ip range 10.10.0.0-10.10.255.255, you need a broader netmask. Try 10.10.0.0/16 instead. You may also find our canonical question on IPv4 subnetting to be useful.

Finally, thank you for being so gracious in regard to the answer to this question (readers with enough privilege to see deleted answers will know what I mean); if ananthan comes along later and writes one, I'll be delighted to withdraw my answer in his/her favour.

Community
  • 1
MadHatter
  • 79,770
  • 20
  • 184
  • 232