Opening a port for a specific ip?

G

GiFus2021-05-20 23:57:52

iptables

GiFus, 2021-05-20 23:57:52

Need help implementing whitelist likeness. In general, you need to open a port only for a specific ip through iptables using the tcp protocol. For the second hour I've been scratching my head on how to correctly implement this.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

C

CityCat4, 2021-05-21
@CityCat4

Well, like this, for example, I allow ssh

-A INPUT -p tcp --dport 22 -m set --match-set anynodes src -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m set --match-set anynodes dst -j ACCEPT

where anynodes is a set defined in ipset like so:

create anynodes hash:net family inet hashsize 1024 maxelem 65536 
add anynodes 10.7.1.0/24 
add anynodes 10.7.3.0/24

Of course, by default, shoot

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

K

ky0, 2021-05-21
@ky0

1. Write a rule that allows access from the desired IP to the desired port.
2. Add a rule below the chain that prohibits access to the port.
If you need to add / remove addresses often, you can make a separate chain into which traffic would first fail, and add addresses to it.

V

Vladimir Medvedev, 2021-05-21
@Vertenz

I advise you to first check all the rules that are set for the port, iptables -n -L -v --line-numbers | grep {port number} . Delete all the rules for this port if you already made a bunch of them :) iptables -D INPUT {rule number}
This field allow access only to a specific ip sudo iptables -A INPUT -p tcp --dport {port number} --source {ip} - j ACCEPT (remember that there is an internal network ip and an "external" one).
After that, close the port
sudo iptables -A INPUT -p tcp --dport {port number} -j DROP
you can still Match Address if for ssl

U

unseriously, 2021-05-21
@unseriously

For example, we need to allow connection to port 22 from IP address 5.5.5.5:

iptables -A INPUT -s 5.5.5.5 -p tcp --dport 22 -j ACCEPT