Iptables policy to accept incoming SSH and ICMP only Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election Results Why I closed the “Why is Kali so hard” questionUnable to make outbound SNMP connections when IPTables is enabledIptables: matching outgoing traffic with conntrack and owner. Works with strange dropsTPROXY for redirecting UDP on arbitrary portsiptables, what is truly open?mount times out with iptables --policy OUTPUT DROPCONFIG_NF_CONNTRACK is not setWhy do some TCP reset packets show up in my iptables log?Can you send a TCP packet with RST flag set using IPTABLES as a way to trick NMAP into thinking a port is closed?iptables conn_limit whether to use mangle or filter?How to implement iptables on lxc-container?

What does the "x" in "x86" represent?

How to call a function with default parameter through a pointer to function that is the return of another function?

How to tell that you are a giant?

Using et al. for a last / senior author rather than for a first author

Why is "Consequences inflicted." not a sentence?

Apollo command module space walk?

How to run gsettings for another user Ubuntu 18.04.2 LTS

When do you get frequent flier miles - when you buy, or when you fly?

What would be the ideal power source for a cybernetic eye?

String `!23` is replaced with `docker` in command line

3 doors, three guards, one stone

Identifying polygons that intersect with another layer using QGIS?

prime numbers and expressing non-prime numbers

51k Euros annually for a family of 4 in Berlin: Is it enough?

What LEGO pieces have "real-world" functionality?

How does debian/ubuntu knows a package has a updated version

How discoverable are IPv6 addresses and AAAA names by potential attackers?

Using audio cues to encourage good posture

If a contract sometimes uses the wrong name, is it still valid?

Can an alien society believe that their star system is the universe?

What does the word "veer" mean here?

Book where humans were engineered with genes from animal species to survive hostile planets

Fundamental Solution of the Pell Equation

Are two submodules (where one is contained in the other) isomorphic if their quotientmodules are isomorphic?



Iptables policy to accept incoming SSH and ICMP only



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionUnable to make outbound SNMP connections when IPTables is enabledIptables: matching outgoing traffic with conntrack and owner. Works with strange dropsTPROXY for redirecting UDP on arbitrary portsiptables, what is truly open?mount times out with iptables --policy OUTPUT DROPCONFIG_NF_CONNTRACK is not setWhy do some TCP reset packets show up in my iptables log?Can you send a TCP packet with RST flag set using IPTABLES as a way to trick NMAP into thinking a port is closed?iptables conn_limit whether to use mangle or filter?How to implement iptables on lxc-container?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others. 



sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT 
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT


The resulting iptables listing looks like this



Chain INPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT icmp -- anywhere anywhere 
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination 
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere 
DOCKER all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target prot opt source destination 

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination 
RETURN all -- anywhere anywhere


I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.



Any clues why this is not working?






iptables







share|improve this question






















  • What about accepting ssh OUTPUT?

    – jiipeezz
    Aug 11 '17 at 8:41











  • I don't need to accept SSH output

    – Akhil Raina
    Aug 11 '17 at 9:12











  • Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

    – Vafa
    Aug 11 '17 at 9:25











  • Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

    – Akhil Raina
    Aug 11 '17 at 10:27


















1















I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others. 



sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT 
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT


The resulting iptables listing looks like this



Chain INPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT icmp -- anywhere anywhere 
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination 
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere 
DOCKER all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target prot opt source destination 

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination 
RETURN all -- anywhere anywhere


I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.



Any clues why this is not working?






iptables







share|improve this question






















  • What about accepting ssh OUTPUT?

    – jiipeezz
    Aug 11 '17 at 8:41











  • I don't need to accept SSH output

    – Akhil Raina
    Aug 11 '17 at 9:12











  • Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

    – Vafa
    Aug 11 '17 at 9:25











  • Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

    – Akhil Raina
    Aug 11 '17 at 10:27














1












1








1








I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others. 



sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT 
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT


The resulting iptables listing looks like this



Chain INPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT icmp -- anywhere anywhere 
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination 
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere 
DOCKER all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target prot opt source destination 

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination 
RETURN all -- anywhere anywhere


I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.



Any clues why this is not working?






iptables







share|improve this question














I ran the following iptables commands to allow incoming SSH and ICMP connections and block all others. 



sudo iptables -F INPUT
sudo iptables --policy INPUT ACCEPT && sudo iptables --policy OUTPUT 
ACCEPT && sudo iptables --policy FORWARD ACCEPT
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p icmp -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 5051 -j REJECT
sudo iptables -A INPUT -j REJECT


The resulting iptables listing looks like this



Chain INPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT icmp -- anywhere anywhere 
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination 
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DOCKER-ISOLATION all -- anywhere anywhere 
DOCKER all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere 
ACCEPT all -- anywhere anywhere 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
REJECT tcp -- anywhere anywhere tcp spt:ita-agent reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere match-set minuteman dst,dst tcp flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable

Chain DOCKER (1 references)
target prot opt source destination 

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination 
RETURN all -- anywhere anywhere


I see that line accepting SSH comes before the one that rejects all other traffic. But I am still not able to SSH into the machine.



Any clues why this is not working?






iptables




iptables






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 11 '17 at 8:29









Akhil RainaAkhil Raina

1061




1061












  • What about accepting ssh OUTPUT?

    – jiipeezz
    Aug 11 '17 at 8:41











  • I don't need to accept SSH output

    – Akhil Raina
    Aug 11 '17 at 9:12











  • Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

    – Vafa
    Aug 11 '17 at 9:25











  • Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

    – Akhil Raina
    Aug 11 '17 at 10:27


















  • What about accepting ssh OUTPUT?

    – jiipeezz
    Aug 11 '17 at 8:41











  • I don't need to accept SSH output

    – Akhil Raina
    Aug 11 '17 at 9:12











  • Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

    – Vafa
    Aug 11 '17 at 9:25











  • Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

    – Akhil Raina
    Aug 11 '17 at 10:27

















What about accepting ssh OUTPUT?

– jiipeezz
Aug 11 '17 at 8:41





What about accepting ssh OUTPUT?

– jiipeezz
Aug 11 '17 at 8:41













I don't need to accept SSH output

– Akhil Raina
Aug 11 '17 at 9:12





I don't need to accept SSH output

– Akhil Raina
Aug 11 '17 at 9:12













Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

– Vafa
Aug 11 '17 at 9:25





Yes, you need to accept output SSH traffic -- ( iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT )

– Vafa
Aug 11 '17 at 9:25













Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

– Akhil Raina
Aug 11 '17 at 10:27






Actually, it works fine as long as I don't run the last rule: sudo iptables -A INPUT -j REJECT

– Akhil Raina
Aug 11 '17 at 10:27











1 Answer
1






active

oldest

votes


















0














If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT





share|improve this answer

























  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f385412%2fiptables-policy-to-accept-incoming-ssh-and-icmp-only%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT





share|improve this answer

























  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33















0














If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT





share|improve this answer

























  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33













0












0








0







If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT





share|improve this answer















If you only need to allow SSH and ICMP



# Flush the FW Rules 
iptables -F
iptables -X

# Block all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Allow SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT


# Allow ICMP (ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT






share|improve this answer














share|improve this answer



share|improve this answer








edited 9 hours ago









Rui F Ribeiro

42.1k1484142




42.1k1484142










answered Aug 11 '17 at 9:43









VafaVafa

1396




1396












  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33

















  • Shouldn't the allow statements be above the block statements

    – Akhil Raina
    Aug 16 '17 at 10:33
















Shouldn't the allow statements be above the block statements

– Akhil Raina
Aug 16 '17 at 10:33





Shouldn't the allow statements be above the block statements

– Akhil Raina
Aug 16 '17 at 10:33

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f385412%2fiptables-policy-to-accept-incoming-ssh-and-icmp-only%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-iptables
-

Popular posts from this blog

Creating 100m^2 grid automatically using QGIS?Creating grid constrained within polygon in QGIS?Createing polygon layer from point data using QGIS?Creating vector grid using QGIS?Creating grid polygons from coordinates using R or PythonCreating grid from spatio temporal point data?Creating fields in attributes table using other layers using QGISCreate .shp vector grid in QGISQGIS Creating 4km point grid within polygonsCreate a vector grid over a raster layerVector Grid Creates just one grid

Image
Pattern match does not work in bash script Mage Armor with Defense fighting style (for Adventurers League bladeslinger) LaTeX closing $ signs makes cursor jump String Manipulation Interpreter Can divisibility rules for digits be generalized to sum of digits I'm planning on buying a laser printer but concerned about the life cycle of toner in the machine What is the offset in a seaplane's hull? How can I make my BBEG immortal short of making them a Lich or Vampire? What are the differences between the usage of 'it' and 'they'? The use of multiple foreign keys on same column in SQL Server How did the USSR manage to innovate in an environment characterized by government censorship and high bureaucracy? Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws) Why Is Death Allowed In the Matrix? Minkowski space Why are 150k or 200k jobs considered good when there are 300k+ births a month? Why do f...
Read more

Nikolai Prilezhaev Bibliography References External links Navigation menuEarly Russian Organic Chemists and Their Legacy092774english translationRussian Biography

19th-century chemists20th-century chemists1877 births1944 deathsRussian chemists RussianO.S.KopossevoNizhny NovgorodMoscoworganic chemistPrilezhaev ReactionepoxidesalkenesperoxyacidsUniversity of WarsawYegor Yegorovich VagnerGeorg WagnerSt. PetersburgPolytechnic in KievUniversity of MinskBelarusian Academy of SciencesAlexei Nikolaevich Bachname reactionSoviet Academy of Sciences Nikolai Alexandrovich Prilezhaev , Russian: Николай Александрович Прилежаев , (Born 15 [O.S. 1877] 27 [1] in Kopossevo near Nizhny Novgorod, died May 26, 1944 in Moscow) was a Russian organic chemist. The Prilezhaev Reaction between epoxides and alkenes to form peroxyacids is named after him. Prilezhaev was the son of a clergyman and studied chemistry at the Theological Seminary in Warsaw (graduated in 1895) and then at the Univ...
Read more

How to link a C library to an Assembly library on Mac with clangHow do you set, clear, and toggle a single bit?Find (and kill) process locking port 3000 on MacWho is listening on a given TCP port on Mac OS X?How to start PostgreSQL server on Mac OS X?Compile assembler in nasm on mac osHow do I install pip on macOS or OS X?AFNetworking 2.0 “_NSURLSessionTransferSizeUnknown” linking error on Mac OS X 10.8C++ code for testing the Collatz conjecture faster than hand-written assembly - why?How to link a NASM code and GCC in Mac OS X?How to run x86 .asm on macOS Sierra

Image
Is there enough fresh water in the world to eradicate the drinking water crisis? What is the term when two people sing in harmony, but they aren't singing the same notes? Is there a problem with hiding "forgot password" until it's needed? Why does this part of the Space Shuttle launch pad seem to be floating in air? Hostile work environment after whistle-blowing on coworker and our boss. What do I do? How to prevent YouTube from showing already watched videos? Is there an Impartial Brexit Deal comparison site? Would it be legal for a US State to ban exports of a natural resource? Can somebody explain Brexit in a few child-proof sentences? Latex for-and in equation Is a naturally all "male" species possible? Is there an wasy way to program in Tikz something like the one in the image? How to deal with or prevent idle in the test team? node command while defining a coordinate in TikZ Simulating a probability of 1 of 2^N with less tha...
Read more