-1

How should I build iptables rules with the following requirements?

  1. Filter traffic on port 12001 to allow tcp/udp
  2. Filter should allow only one single IP sending traffic to the port 12001. Any other IP is NOT allowed to send any traffic but ONLY for this port.
  3. Any traffic for any other ports are allowed (ACCEPT ALL)

OS: Centos 6.5 / RH 6.5

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Leo
  • 29
  • 2

1 Answers1

3

The answer to all such questions is in the way iptables processes rules, ie first dispositive match wins. That means you write your most specific rule first, moving out to the least specific; eg:

iptables -A INPUT -p tcp --dport 12001 -s a.b.c.d -j ACCEPT
iptables -A INPUT -p tcp --dport 12001 -j REJECT
# and similarly for UDP, then...
iptables -A INPUT -j ACCEPT

The first allows traffic from the specified favoured address (here, a.b.c.d) to the specified port (12001); the second refuses all other traffic to that port; the third allows everything else.

As a result, rule 2 doesn't have to contain an exception for the approved traffic, because rule 1 has already allowed it; the allowed traffic will never see rule 2, so won't be bothered by it. Similarly, rule 3 doesn't have to deal with refusing most of the traffic to port 12001, because rule 2 has already dealt with that.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • @Leo you're welcome. This is a commonly-misunderstood point, so I thought it worth covering in orderly detail. If you think your question has been answered, don't forget to accept the answer by clicking on the "tick" outline next to it, which will put the question to bed (as it were). My apologies if you already know this. – MadHatter Feb 26 '16 at 14:19
  • Sure. I am new here. However I still have an issue... :( – Leo Feb 26 '16 at 14:31
  • @Leo no worries, we were all new here once. Though since you are, may I note that *SF is not a discussion forum*. Your "answer" below is *not* an answer, and you should probably delete it before it attracts moderator attention. If you think you have a new question, by all means post it, **but** note that `iptables -L -n -v` output is almost always a good idea, and that **tcpdump still sees forbidden traffic**, so you might want to check your assumptions before posting. – MadHatter Feb 26 '16 at 14:36
  • @Leo also, this question is collecting downvotes, probably because it shows no signs of your having done any research before posting it. If you're going to post another one, I **strongly** recommend that you do your homework **first**. Just a word to the wise! – MadHatter Feb 26 '16 at 14:40
  • Thanks a lot for all your comments and all your recommendations. Sorry for that. I will be more careful next time. – Leo Feb 26 '16 at 14:42
  • @Leo no worries, and thanks for your courtesy in the face of my onslaught of words! Welcome to SF, and I hope you stay around for a while. – MadHatter Feb 26 '16 at 14:45