Iptables policy to accept incoming SSH and ICMP only Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election Results Why I closed the “Why is Kali so hard” questionUnable to make outbound SNMP connections when IPTables is enabledIptables: matching outgoing traffic with conntrack and owner. Works with strange dropsTPROXY for redirecting UDP on arbitrary portsiptables, what is truly open?mount times out with iptables --policy OUTPUT DROPCONFIG_NF_CONNTRACK is not setWhy do some TCP reset packets show up in my iptables log?Can you send a TCP packet with RST flag set using IPTABLES as a way to trick NMAP into thinking a port is closed?iptables conn_limit whether to use mangle or filter?How to implement iptables on lxc-container?
What does the "x" in "x86" represent?
How to call a function with default parameter through a pointer to function that is the return of another function?
How to tell that you are a giant?
Using et al. for a last / senior author rather than for a first author
Why is "Consequences inflicted." not a sentence?
Apollo command module space walk?
How to run gsettings for another user Ubuntu 18.04.2 LTS
When do you get frequent flier miles - when you buy, or when you fly?
What would be the ideal power source for a cybernetic eye?
String `!23` is replaced with `docker` in command line
3 doors, three guards, one stone
Identifying polygons that intersect with another layer using QGIS?
prime numbers and expressing non-prime numbers
51k Euros annually for a family of 4 in Berlin: Is it enough?
What LEGO pieces have "real-world" functionality?
How does debian/ubuntu knows a package has a updated version
How discoverable are IPv6 addresses and AAAA names by potential attackers?
Using audio cues to encourage good posture
If a contract sometimes uses the wrong name, is it still valid?
Can an alien society believe that their star system is the universe?
What does the word "veer" mean here?
Book where humans were engineered with genes from animal species to survive hostile planets
Fundamental Solution of the Pell Equation
Are two submodules (where one is contained in the other) isomorphic if their quotientmodules are isomorphic?
Iptables policy to accept incoming SSH and ICMP only
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionUnable to make outbound SNMP connections when IPTables is enabledIptables: matching outgoing traffic with conntrack and owner. Works with strange dropsTPROXY for redirecting UDP on arbitrary portsiptables, what is truly open?mount times out with iptables --policy OUTPUT DROPCONFIG_NF_CONNTRACK is not setWhy do some TCP reset packets show up in my iptables log?Can you send a TCP packet with RST flag set using IPTABLES as a way to trick NMAP into thinking a port is closed?iptables conn_limit whether to use mangle or filter?How to implement iptables on lxc-container?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
1
I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others.
sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT
The resulting iptables listing looks like this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.
Any clues why this is not working?
iptables
asked Aug 11 '17 at 8:29
Akhil RainaAkhil Raina
1061
add a comment |
1
I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others.
sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT
The resulting iptables listing looks like this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.
Any clues why this is not working?
iptables
asked Aug 11 '17 at 8:29
Akhil RainaAkhil Raina
1061
What about accepting ssh OUTPUT?
– jiipeezz
Aug 11 '17 at 8:41
I don't need to accept SSH output
– Akhil Raina
Aug 11 '17 at 9:12
Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )
– Vafa
Aug 11 '17 at 9:25
Actually, it works fine as long as I don't run the last rule:sudo iptables -A INPUT -j REJECT
– Akhil Raina
Aug 11 '17 at 10:27
add a comment |
1
1
1
I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others.
sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT
The resulting iptables listing looks like this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.
Any clues why this is not working?
iptables
asked Aug 11 '17 at 8:29
Akhil RainaAkhil Raina
1061
I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others.
sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT
The resulting iptables listing looks like this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.
Any clues why this is not working?
iptables
iptables
asked Aug 11 '17 at 8:29
Akhil RainaAkhil Raina
1061
asked Aug 11 '17 at 8:29
Akhil RainaAkhil Raina
1061
asked Aug 11 '17 at 8:29
Akhil RainaAkhil Raina
1061
asked Aug 11 '17 at 8:29
Akhil RainaAkhil Raina
1061
asked Aug 11 '17 at 8:29
Akhil RainaAkhil Raina
1061
1061
What about accepting ssh OUTPUT?
– jiipeezz
Aug 11 '17 at 8:41
I don't need to accept SSH output
– Akhil Raina
Aug 11 '17 at 9:12
Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )
– Vafa
Aug 11 '17 at 9:25
Actually, it works fine as long as I don't run the last rule:sudo iptables -A INPUT -j REJECT
– Akhil Raina
Aug 11 '17 at 10:27
add a comment |
What about accepting ssh OUTPUT?
– jiipeezz
Aug 11 '17 at 8:41
I don't need to accept SSH output
– Akhil Raina
Aug 11 '17 at 9:12
Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )
– Vafa
Aug 11 '17 at 9:25
Actually, it works fine as long as I don't run the last rule:sudo iptables -A INPUT -j REJECT
– Akhil Raina
Aug 11 '17 at 10:27
What about accepting ssh OUTPUT?
– jiipeezz
Aug 11 '17 at 8:41
What about accepting ssh OUTPUT?
– jiipeezz
Aug 11 '17 at 8:41
I don't need to accept SSH output
– Akhil Raina
Aug 11 '17 at 9:12
I don't need to accept SSH output
– Akhil Raina
Aug 11 '17 at 9:12
Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )
– Vafa
Aug 11 '17 at 9:25
Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )
– Vafa
Aug 11 '17 at 9:25
Actually, it works fine as long as I don't run the last rule:
sudo iptables -A INPUT -j REJECT– Akhil Raina
Aug 11 '17 at 10:27
Actually, it works fine as long as I don't run the last rule:
sudo iptables -A INPUT -j REJECT– Akhil Raina
Aug 11 '17 at 10:27
add a comment |
1 Answer
1
active
oldest
votes
0
If you only need to allow SSH and ICMP
# Flush the FW Rules
iptables -F
iptables -X
# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Aug 11 '17 at 9:43
VafaVafa
1396
Shouldn't the allow statements be above the block statements
– Akhil Raina
Aug 16 '17 at 10:33
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f385412%2fiptables-policy-to-accept-incoming-ssh-and-icmp-only%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
If you only need to allow SSH and ICMP
# Flush the FW Rules
iptables -F
iptables -X
# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Aug 11 '17 at 9:43
VafaVafa
1396
Shouldn't the allow statements be above the block statements
– Akhil Raina
Aug 16 '17 at 10:33
add a comment |
0
If you only need to allow SSH and ICMP
# Flush the FW Rules
iptables -F
iptables -X
# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Aug 11 '17 at 9:43
VafaVafa
1396
Shouldn't the allow statements be above the block statements
– Akhil Raina
Aug 16 '17 at 10:33
add a comment |
0
0
0
If you only need to allow SSH and ICMP
# Flush the FW Rules
iptables -F
iptables -X
# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Aug 11 '17 at 9:43
VafaVafa
1396
If you only need to allow SSH and ICMP
# Flush the FW Rules
iptables -F
iptables -X
# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Aug 11 '17 at 9:43
VafaVafa
1396
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
42.1k1484142
answered Aug 11 '17 at 9:43
VafaVafa
1396
answered Aug 11 '17 at 9:43
VafaVafa
1396
answered Aug 11 '17 at 9:43
VafaVafa
1396
1396
Shouldn't the allow statements be above the block statements
– Akhil Raina
Aug 16 '17 at 10:33
add a comment |
Shouldn't the allow statements be above the block statements
– Akhil Raina
Aug 16 '17 at 10:33
Shouldn't the allow statements be above the block statements
– Akhil Raina
Aug 16 '17 at 10:33
Shouldn't the allow statements be above the block statements
– Akhil Raina
Aug 16 '17 at 10:33
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f385412%2fiptables-policy-to-accept-incoming-ssh-and-icmp-only%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-iptables
What about accepting ssh OUTPUT?
– jiipeezz
Aug 11 '17 at 8:41
I don't need to accept SSH output
– Akhil Raina
Aug 11 '17 at 9:12
Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )
– Vafa
Aug 11 '17 at 9:25
Actually, it works fine as long as I don't run the last rule:
sudo iptables -A INPUT -j REJECT– Akhil Raina
Aug 11 '17 at 10:27