Using iptables to limit httpd, ssh and icmp

Question

I want to block ICMP and limit SSH and HTTPD traffic to eth0 My original iptables looks like this

filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Start Custom Rules
-A INPUT -p tcp --dport 6000 -j ACCEPT -m comment --comment "New application
# End Custom Rules
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

mangle

:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 0x2
-A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 0x2
COMMIT

I have amended the rule to drop ICMP traffic by changing Accept to DROP

-A INPUT -p icmp -j DROP (this works fine)

Then the amended the SSH rule

-I INPUT 3 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT to included -i eth0 to limit SSH connections to eth0 only.

But it does not block SSH connection to other interfaces

I have changed the iptables to following but it accepting SSH connectin on all interfaces:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:6000 /*New Application */
DROP all -- anywhere anywhere
DROP icmp -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@CentoOS]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6000 -m comment --comment "New Application" -j ACCEPT
-A INPUT -j DROP
-A INPUT -p icmp -j DROP
-A FORWARD -j DROP

Can someone tell me what is wrong with the rules and how to limit the traffic to eth0 only. I am new to iptables so any help will be highly appreciated.

You should set SSHD to listen only on the interface that use the IP with which you want to answer. In your case, the IP that is set for eth0. The SSHD config look like this: ListenAddress 0.0.0.0. Now, just change that for the IP you want to use. After, set you iptables to whatever rules you want. — yield, Sep 05 '19 at 15:04
idea is to assign any ip to eth0. I dont want SSH to listen at 0.0.0.0 or any other IP which is assigned to eth1. — Wood Chipper, Sep 05 '19 at 15:33
you would change ListenAddress 0.0.0.0 to the specific IP you want... ListenAddress 192.168.2.22 and make sure this IP is configured on the specific interface eth0 — yield, Sep 05 '19 at 15:48
thank you. That wouyld work. Any idea how can i restrict httpd on 443 to specific IPs please? — Wood Chipper, Sep 05 '19 at 16:16
It is the same thing, you would (if you use Apache HTTPD) or other, make it listen on specific IP for port 443. Just do not use 0.0.0.0 as it would listen on any for 443 connections. — yield, Sep 06 '19 at 13:21

Using iptables to limit httpd, ssh and icmp

0 Answers0