[Linux] Allow / block access from specific IP addresses and port numbers with iptables

I will write a memo on how to set iptables.

iptables is one of the Linux firewalls, and by setting it on a server, you can restrict access or restrict access from that server.

This time, I assigned the port number to each person in the test environment of my company, so I had to set it at that time. I will write it as a memorandum at that time.

I will write only about the basic way of writing iptables, so I would be happy if you could think "Oh, I'll use it at such times".

--What is iptable? --Basic way to write iptables --Control access to IP addresses and ports

What is iptables

iptables are firewalls whose OS is installed as standard on Linux servers. You can also use this to block access from IP addresses you don't like, or to allow access to specific port numbers. For example, suppose you run a large e-commerce site. Then, you may receive a DoS attack from overseas. In such a case, you need to prevent the IP address that you are accessing. One of the effective methods in that case is iptable. It is also used to allow access to the port number. Instead of using 80 or 443 when you want to access the new web, you may use it when you want to use a unique port number such as 8003 or when you want to stop using it.

Basic way to write iptables

First, let's see if iptables is installed in the first place.

which iptables

You can use which command to see where the iptables command is stored. with this

/usr/sbin/iptables

If it comes out, it means that it is installed without any problem.

Open it with vim and look at the contents.

*filter:INPUT DROP [0:0]:OUTPUT ACCEPT [0:0]

I think it is written like this in the beginning. INPUT DROP [0: 0] sets the reception of the server. Anyway, communication will be rejected. ACCEPT is okay. So with this setting, this server will not accept any communication. So the basic INPUT is ACCEPT.

Control access to IP addresses and ports

IP address is

iptables -A INPUT -s 192.168.xxx.xxx/32 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j DROP

Like this. Ignore the option this time and look only at the part of 192.168.xxx.xxx. It's okay if you change it to an IP address that you don't want to access. The port number is

-A INPUT -p tcp -m tcp --dport 8001 -j ACCEPT

This will allow you to access the 8001 port number. If you change ACCEPT to DROP, it will be closed and inaccessible. By the way, the image of access by specifying the port number is

https://qiita.com:8001

It is like this. By the way, qiita does not open 8001, so of course you can not access it. but

https://qiita.com:443

You can access it normally! (Since the port is set automatically just by specifying https, ...) As a whole

# Generated by iptables-save v1.4.21 on Mon Jan 1 19:00:00 2019
*filter
:INPUT DROP [0:0]:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [37:2217]
-A INPUT -s 192.111.11.1/11 -p tcp -j ACCEPT
-A INPUT -s 58.111.11.111/11 -p tcp -m tcp --dport 29870 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10050 -j ACCEPT
-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8003 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8004 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8005 -j ACCEPT
COMMIT# Completed on Mon Jan 1 19:00:00 2019

It is like this. If you have changed the settings, let's reboot at the end.


service iptables restart

I think this reflects the result. Thank you for your hard work.

Recommended Posts

[Linux] Allow / block access from specific IP addresses and port numbers with iptables
Allow ssh only for specific IP addresses with firewalld
ODBC access to SQL Server from Linux with Python