[Resolved] Iptable Not Restricting SSH by IP.

[countryboy01]

My current Firewall Script:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
^A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
INPUT 1 -p tcp -m tcp -s 123.123.123.123 --dport ssh -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

So I have tried many variations of trying to restrict the SSH by IP, but I can't seem to get anything to work. I'm honestly not looking for the answer. If any one could assist me in a guide/article to help me understand iptables, and a few examples, I'm sure I can get the answer myself.

[TrevorH]

If that's a direct cut and paste of your current rules then you have several syntax errors in that:

^A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Should start with -A not ^A.

INPUT 1 -p tcp -m tcp -s 123.123.123.123 --dport ssh -j ACCEPT

This one's missing the -A altogether and shouldn't have a line number specified. It's also immediately followed by the more relaxed rule that allows ssh from anywhere so it serves no purpose so if you really want to restrict ssh to only 123.123.123.123 then you should remove the following rule (or amend it to be more restrictive).

[countryboy01]

If that's a direct cut and paste of your current rules then you have several syntax errors in that:

^A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Should start with -A not ^A.

INPUT 1 -p tcp -m tcp -s 123.123.123.123 --dport ssh -j ACCEPT

This one's missing the -A altogether and shouldn't have a line number specified. It's also immediately followed by the more relaxed rule that allows ssh from anywhere so it serves no purpose so if you really want to restrict ssh to only 123.123.123.123 then you should remove the following rule (or amend it to be more restrictive).

Thank you Trevor. I just noticed the ^A myself. Always good to have a fresh pair of eyes. On the INPUT 1... I thought I removed that portion and had it started.

Yes, I am trying to restrict it to where only my internal LAN(192.168.1.0/24) and 3 External(WAN IPs) can access(64.x.x.x, 73.x.x.x, 74.x.x.x). I know one rule can't do all three, and I don't mind doing separate rules. I'm just not that great at understanding the concept. Honestly I've read the man page for iptables, and that just throws me into more of a confusion. The commands that you run from command line to insert the commands, I can't get that to work either, thus why I am just vi into the /etc/sysconfig/iptables. But I'll deal with that part later, I just need to find a way to understand the syntax to create the rules to block all but 1 range, and 3 external.

[TrevorH]

If you want to allow 3 separate IP addresses that are not close together then you'll need 3 separate rules for them. Your existing one for 123.123.123.123 looks good but since it's followed by one with no IP source address specified, that one catches all other ssh attempts and allows them so you'll have to remove that one. If you run iptables -nvL then it'll list your rules out with packet and byte counts so that you can see if your ssh attempt from 123.123.123.123 hits the right rule or not. If the packet count on that one is still 0 then don't remove the catch all rule since that's the one that's letting you in!

[countryboy01]

Hey Trevor,

So there is a specified order in which the rules need to go in as well? I apologize for sounding like an idiot on this, but I am one. I have not found decent material to help me understand how iptables work.

I went back and re-looked at my iptables. I'm not sure where those typos came from but below is my current config.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

[TrevorH]

Rules are processed in order, from top to bottom. There is also a chain default policy like ":INPUT ACCEPT [0:0]" which means that if no rule matches then, in this case, ACCEPT the packet. If a rule is processed that matches and it jumps to -j ACCEPT then that packet is accepted and no more rules are processed. If a rule is processed that matches and jumps to REJECT or DROP then no more rules are processed and the packet is dropped or rejected. If it reaches the end of the rules without a match then it uses the chain policy to decide what to do.

With the rules you just posted, only existing connections are allowed plus NEW connections on tcp port 2500 from anywhere. In addition everything on the localhost interface is allowed as are all icmp packets on any interface.

[countryboy01]

Rules are processed in order, from top to bottom. There is also a chain default policy like ":INPUT ACCEPT [0:0]" which means that if no rule matches then, in this case, ACCEPT the packet. If a rule is processed that matches and it jumps to -j ACCEPT then that packet is accepted and no more rules are processed. If a rule is processed that matches and jumps to REJECT or DROP then no more rules are processed and the packet is dropped or rejected. If it reaches the end of the rules without a match then it uses the chain policy to decide what to do.

With the rules you just posted, only existing connections are allowed plus NEW connections on tcp port 2500 from anywhere. In addition everything on the localhost interface is allowed as are all icmp packets on any interface.

Thank you for the insight. I started playing around with the rules, and was able to get it to work with the line:

-A INPUT -p tcp -s 192.168.1.103 --dport 2500 -j ACCEPT

----------------

Now my next goal is to set a rule that will log any and all SSH(whether successful or not).. I'm not sure if it would be easier to set the rule in iptables, or to set it somewhere else. I will see if I can do research on that, as for this issue, I'm marking it resolved. Thanks for the huge better understanding on it Trevor.