Question

0

Iptables that only allow incoming traffic to OpenSSH and block all other traffic

rated 0 times [ 0] [ 0] / answers: 1 / hits: 979 / 2 Years ago, mon, february 14, 2022, 3:53:14

I need to configure a firewall using iptables that only allows incoming traffic to the openssh services and block all other traffic. I know how to block all incoming traffic but don't know how to only allow incoming traffic to the openssh and block all other incoming traffic simultaneously. I also need the ssh to be logged as "ssh traffic" and all the other blocked traffic to be logged as "blocked traffic". Any help would be much appreciated.

Thanks guys

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

ickump

Add To Favorites

Follow

Total Points: 234

Total Questions: 124

Total Answers: 111

Location: Jordan

Member since Fri, Apr 8, 2022

2 Years ago

ickump questions

1 What is the Super key?

Mon, Aug 16, 21, 08:46, 3 Years ago

1 Encrypted disk not available in boot process after distro upgrade

Thu, Mar 3, 22, 06:29, 2 Years ago

1 identify M.2 SSD from BASH Script

Mon, Aug 22, 22, 02:44, 2 Years ago

1 Correct way to execute a script on resume from suspend

Sun, Oct 2, 22, 07:13, 2 Years ago

1 "ERROR (dkms apport): kernel package linux-headers-5.8.0-34-generic is not supported" while installing Virtualbox on Ubuntu 20.04 LTS

Sat, Oct 15, 22, 20:24, 2 Years ago

View All

answered 2 Years ago oatglori · Accepted Answer

Here is an iptables rules creating script:

#!/bin/sh

FWVER=0.01

#

# ask1368071 Smythies 2021.10.08 Ver:0.01

#       See here:

#       https://askubuntu.com/questions/1368071/iptables-that-only-allow-incoming-traffic-to-openssh-and-block-all-other-traffic

#       run as sudo on s19.

#       log entries are only for each NEW ssh packet. It seems unreasonable to log every ssh packet, but it could be done.

#



echo "Loading ask1368071 rule set version $FWVER..

"



# The location of the iptables program

#

IPTABLES=/sbin/iptables



#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network

#

# Set for Smythies s19 computer (for testing). Edit for ask1368071's computer.

EXTIF="br0"

EXTIP="192.168.111.136"

NETWORK="192.168.111.0/24"

UNIVERSE="0.0.0.0/0"



# Clearing any previous configuration

# Be careful here. I can do this on s19, but do not know

# about Nigel's computer.

#

echo "  Clearing any existing rules and setting default policies.."

$IPTABLES -P INPUT DROP

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD ACCEPT

$IPTABLES -F FORWARD

$IPTABLES -t nat -F



# Delete user defined chains

$IPTABLES -X

# Reset all IPTABLES counters

$IPTABLES -Z

# Smythies: While my references do not have it, I think this is needed.

$IPTABLES -t nat -Z



# loopback interfaces are valid.

#

$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT



# Allow any related traffic coming back to the server in.

# (Nigel did not ask for this, but I am assuming it is needed.)

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT



# Allow and log new SSH connections

#

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j LOG --log-prefix "ssh traffic:" --log-level info

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT



# Do not allow in anything else

# Could also just fall through to default policy here, but sometimes a logging rule is also desired.

#

$IPTABLES -A INPUT -i $EXTIF -j LOG --log-prefix "blocked traffic:" --log-level info

$IPTABLES -A INPUT -i $EXTIF -j DROP



# Done.

#

echo ask1368071 rule set version $FWVER done.

Here is a listing after a new ssh session has been started:

doug@s19:~/iptables/misc$ sudo iptables -xvnL

Chain INPUT (policy DROP 0 packets, 0 bytes)

    pkts      bytes target     prot opt in     out     source               destination

       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

      66     5465 ACCEPT     all  --  br0    *       0.0.0.0/0            192.168.111.136      state RELATED,ESTABLISHED

       1       52 LOG        tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state NEW tcp dpt:22 LOG flags 0 level 6 prefix "ssh traffic:"

       1       52 ACCEPT     tcp  --  br0    *       0.0.0.0/0            192.168.111.136      state NEW tcp dpt:22

      18     1382 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "blocked traffic:"

      18     1382 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

    pkts      bytes target     prot opt in     out     source               destination



Chain OUTPUT (policy ACCEPT 56 packets, 8793 bytes)

    pkts      bytes target     prot opt in     out     source               destination

Here are some log entries. Opps, I have busted my samba share:

Oct  8 08:07:15 s19 kernel: [249075.860342] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53951 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:16 s19 kernel: [249076.878329] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53957 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:17 s19 kernel: [249077.896198] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53959 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:18 s19 kernel: [249078.914012] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53960 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:19 s19 kernel: [249079.931823] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53961 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:20 s19 kernel: [249080.934176] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53962 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:20 s19 kernel: [249081.115999] blocked traffic:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:80:7d:3a:19:ea:59:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=316

Oct  8 08:07:20 s19 kernel: [249081.132297] blocked traffic:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:80:7d:3a:19:ea:59:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=128 ID=1 PROTO=UDP SPT=68 DPT=67 LEN=316

Oct  8 08:07:21 s19 kernel: [249081.936134] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53964 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:22 s19 kernel: [249082.938594] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53965 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:23 s19 kernel: [249083.956556] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53966 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:24 s19 kernel: [249084.958914] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=41 TOS=0x00 PREC=0x00 TTL=128 ID=53967 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=8209 RES=0x00 ACK URGP=0

Oct  8 08:07:25 s19 kernel: [249085.976907] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=53968 DF PROTO=TCP SPT=50044 DPT=445 WINDOW=0 RES=0x00 ACK RST URGP=0

Oct  8 08:07:25 s19 kernel: [249085.981353] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53969 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:26 s19 kernel: [249086.985732] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53970 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:28 s19 kernel: [249089.005970] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53971 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:32 s19 kernel: [249093.012998] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53973 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:35 s19 kernel: [249096.205252] ssh traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53974 DF PROTO=TCP SPT=61351 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:40 s19 systemd[1]: Started Session 222 of user doug.

Oct  8 08:07:40 s19 kernel: [249101.031397] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53989 DF PROTO=TCP SPT=61348 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:46 s19 kernel: [249107.046666] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53997 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:47 s19 kernel: [249108.061299] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53998 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:49 s19 kernel: [249110.065547] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=53999 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:07:53 s19 kernel: [249114.090375] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=54001 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Oct  8 08:08:01 s19 kernel: [249122.092377] blocked traffic:IN=br0 OUT= MAC=3c:7c:3f:0d:99:83:04:d4:c4:93:f4:55:08:00 SRC=192.168.111.122 DST=192.168.111.136 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=54021 DF PROTO=TCP SPT=61352 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0