Iptables policy to accept incoming SSH and ICMP only Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election Results Why I closed the “Why is Kali so hard” questionUnable to make outbound SNMP connections when IPTables is enabledIptables: matching outgoing traffic with conntrack and owner. Works with strange dropsTPROXY for redirecting UDP on arbitrary portsiptables, what is truly open?mount times out with iptables --policy OUTPUT DROPCONFIG_NF_CONNTRACK is not setWhy do some TCP reset packets show up in my iptables log?Can you send a TCP packet with RST flag set using IPTABLES as a way to trick NMAP into thinking a port is closed?iptables conn_limit whether to use mangle or filter?How to implement iptables on lxc-container?

What does the "x" in "x86" represent?

How to call a function with default parameter through a pointer to function that is the return of another function?

How to tell that you are a giant?

Using et al. for a last / senior author rather than for a first author

Why is "Consequences inflicted." not a sentence?

Apollo command module space walk?

How to run gsettings for another user Ubuntu 18.04.2 LTS

When do you get frequent flier miles - when you buy, or when you fly?

What would be the ideal power source for a cybernetic eye?

String `!23` is replaced with `docker` in command line

3 doors, three guards, one stone

Identifying polygons that intersect with another layer using QGIS?

prime numbers and expressing non-prime numbers

51k Euros annually for a family of 4 in Berlin: Is it enough?

What LEGO pieces have "real-world" functionality?

How does debian/ubuntu knows a package has a updated version

How discoverable are IPv6 addresses and AAAA names by potential attackers?

Using audio cues to encourage good posture

If a contract sometimes uses the wrong name, is it still valid?

Can an alien society believe that their star system is the universe?

What does the word "veer" mean here?

Book where humans were engineered with genes from animal species to survive hostile planets

Fundamental Solution of the Pell Equation

Are two submodules (where one is contained in the other) isomorphic if their quotientmodules are isomorphic?



Iptables policy to accept incoming SSH and ICMP only



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionUnable to make outbound SNMP connections when IPTables is enabledIptables: matching outgoing traffic with conntrack and owner. Works with strange dropsTPROXY for redirecting UDP on arbitrary portsiptables, what is truly open?mount times out with iptables --policy OUTPUT DROPCONFIG_NF_CONNTRACK is not setWhy do some TCP reset packets show up in my iptables log?Can you send a TCP packet with RST flag set using IPTABLES as a way to trick NMAP into thinking a port is closed?iptables conn_limit whether to use mangle or filter?How to implement iptables on lxc-container?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others.



sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT


The resulting iptables listing looks like this



Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target prot opt source destination

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere


I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.



Any clues why this is not working?










share|improve this question






















  • What about accepting ssh OUTPUT?

    – jiipeezz
    Aug 11 '17 at 8:41











  • I don't need to accept SSH output

    – Akhil Raina
    Aug 11 '17 at 9:12











  • Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

    – Vafa
    Aug 11 '17 at 9:25











  • Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

    – Akhil Raina
    Aug 11 '17 at 10:27


















1















I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others.



sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT


The resulting iptables listing looks like this



Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target prot opt source destination

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere


I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.



Any clues why this is not working?










share|improve this question






















  • What about accepting ssh OUTPUT?

    – jiipeezz
    Aug 11 '17 at 8:41











  • I don't need to accept SSH output

    – Akhil Raina
    Aug 11 '17 at 9:12











  • Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

    – Vafa
    Aug 11 '17 at 9:25











  • Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

    – Akhil Raina
    Aug 11 '17 at 10:27














1












1








1








I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others.



sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT


The resulting iptables listing looks like this



Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target prot opt source destination

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere


I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.



Any clues why this is not working?










share|improve this question














I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others.



sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT


The resulting iptables listing looks like this



Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target prot opt source destination

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere


I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.



Any clues why this is not working?







iptables






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 11 '17 at 8:29









Akhil RainaAkhil Raina

1061




1061












  • What about accepting ssh OUTPUT?

    – jiipeezz
    Aug 11 '17 at 8:41











  • I don't need to accept SSH output

    – Akhil Raina
    Aug 11 '17 at 9:12











  • Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

    – Vafa
    Aug 11 '17 at 9:25











  • Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

    – Akhil Raina
    Aug 11 '17 at 10:27


















  • What about accepting ssh OUTPUT?

    – jiipeezz
    Aug 11 '17 at 8:41











  • I don't need to accept SSH output

    – Akhil Raina
    Aug 11 '17 at 9:12











  • Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

    – Vafa
    Aug 11 '17 at 9:25











  • Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

    – Akhil Raina
    Aug 11 '17 at 10:27

















What about accepting ssh OUTPUT?

– jiipeezz
Aug 11 '17 at 8:41





What about accepting ssh OUTPUT?

– jiipeezz
Aug 11 '17 at 8:41













I don't need to accept SSH output

– Akhil Raina
Aug 11 '17 at 9:12





I don't need to accept SSH output

– Akhil Raina
Aug 11 '17 at 9:12













Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

– Vafa
Aug 11 '17 at 9:25





Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

– Vafa
Aug 11 '17 at 9:25













Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

– Akhil Raina
Aug 11 '17 at 10:27






Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

– Akhil Raina
Aug 11 '17 at 10:27











1 Answer
1






active

oldest

votes


















0














If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT





share|improve this answer

























  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f385412%2fiptables-policy-to-accept-incoming-ssh-and-icmp-only%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT





share|improve this answer

























  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33















0














If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT





share|improve this answer

























  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33













0












0








0







If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT





share|improve this answer















If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT






share|improve this answer














share|improve this answer



share|improve this answer








edited 9 hours ago









Rui F Ribeiro

42.1k1484142




42.1k1484142










answered Aug 11 '17 at 9:43









VafaVafa

1396




1396












  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33

















  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33
















Shouldn't the allow statements be above the block statements

– Akhil Raina
Aug 16 '17 at 10:33





Shouldn't the allow statements be above the block statements

– Akhil Raina
Aug 16 '17 at 10:33

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f385412%2fiptables-policy-to-accept-incoming-ssh-and-icmp-only%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-iptables

Popular posts from this blog

Frič See also Navigation menuinternal link

Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox